I am looking to have a eval search that looks for a field name of "Name" and adds the value. If the field doesn't exist, I want to add a field of "Name" and add "N/A" for the data.
| eval Name = if((like(Name,"*"))),"&Name&","N/A")
This might be the wrong way of doing it.
Event example #1:
| Hostname | Time | Name | Action |
| Server02 | 11:22am | jdoe | logon |
| Server20 | 1:30pm | jsmith | logon |
Event example #2:
| Hostname | Time | Action | |
| Workstation | 10:45am | Saved | |
| Workstation 100 | 12:30pm | Saved | |
After the search is run I want the data to look like this.
| Hostname | Time | Name | Action |
| Server02 | 11:22am | jdoe | logon |
| Server20 | 1:30pm | jsmith | logon |
| Workstation | 10:45am | N/A | Save |
| Workstation 100 | 12:30pm | N/A | Save |
| | | | |
