Hi,
I want my search to only return events that have field names matching Feature.Flags*
My data currently has the below field names but more and more feature flags will be released over time so I don't want to hard code them into the search.
Feature.Flags.1
Feature.Flags.2
Feature.Flags.3
How can I construct a search to only return events that contain any of these Feature.Flags* Field names but to exclude any events when all matching Feature.Flags fields have no value?
e.g. Only return Event 1 and 3 below
Event 1
Feature.Flags.1 = True
Feature.Flags.2 = ""
Feature.Flags.3 = False
Event 2 (All Fields have no value so exclude this from the search)
Feature.Flags.1 = ""
Feature.Flags.2 = ""
Feature.Flags.3 = ""
Event 3
Feature.Flags.1 = False
Feature.Flags.2 = False
Feature.Flags.3 = False
I've tried different things but can't get it to work. For example the below returns all events in a table but unfortunately it includes Events where all Feature.Flags* fields have empty values
table host Feature.Flags*
I also tried the below but it just returned all entries with HostFlags set to False and none set to True
eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | search HostFlags=*
| table host Feature.Flags*
ganon640
Try this -
| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "xyz" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*
And
| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*
The first one will give you result and the second one will not. Which is what your criteria is.
Let me know. Thanks
ganon640
Try this -
| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "xyz" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*
And
| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*
The first one will give you result and the second one will not. Which is what your criteria is.
Let me know. Thanks