Hello,
I'm trying to pass values of field to other field. Is there a best way to do it?
Query:
index=alerts status=resolved | dedup incident_id|table incident_id user
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id|search owner=unassigned |modifyincidents owner="$result.user$"
I'm trying to pass user value to owner.
Hi knalla,
let me understand: $result.user$ token arrives from a dropdown input?
what's "modifyincidents"? it isn't a command.
Anyway, if you want to assign a token's value to a field, you can use the eval command:
index=alerts status=resolved
| dedup incident_id
|table incident_id user
| lookup incidents incident_id OUTPUTNEW alert, title, owner, status, impact, urgency, external_reference_id
| search owner=unassigned
| eval owner="$result.user$"
The table command in the middle of a search it isn't useful, if you want to limit the fields that your search uses, use the fields command.
Bye.
Giuseppe