Not sure where I should be going but, I am all for raw data going into fields, enhanced etc...
I am looking at our raw data and there is a field called
ID=XXXXXX which is the field I am interested in, there is also another occurrence of
ID= XXXXX YYYYY in the event which I am not interested in.
Both are showing up in my searches,
NAME=MX001 and the second one
I have tried Eval substr(ID,1,6) to no avail, any help would be appreciated,
P.S. could this have been taken care of during original extraction??
Let me try to show examples:
1) id=jim,addr=12 main st,phone=825-585-9865
2) id=tom,addr=45 maple,phone=528-777-9685,id=tom second
I am using a simple table:
table id addr phone
jim 12 main st 825-585-9865
tom 45 maple 528-777-9685
(the line above is the problem)
I guess what I am trying to do is a report using the first occurrence of a field within an event.
Some events have multiple fields some don't.
I looked at stats first(xx), but it returned first occurrence of first event only.
It should be a matter of adding
| search ID!="XXXXX *" to your query. If you share the existing query we can be more specific.
Could you clarify a couple of things?
-Both fields are automatically extracted and they both exist in your index?
-One is called NAME and the other one ID?
-You only have use for NAME but not for ID??