Solved: Multi Field values into Single field value

kamaleshwar · ‎11-19-2019

I need help in getting multiple field values into single field to compare it and get the match if any.

For example, I have Field 1, Field 2, and so on till Field 10 and similarly each field is having unique value. I need to check if any of the value is matching with other events and get that value.

Please help on this and let me know if more info needed.

Anantha123 · ‎11-19-2019

Hi,

To combine all fields in to 1 , you can try below query

| eval output=(mvappend(field1, field2, field3, field4, field5, field6, field7, field8, field9, field10)) | mvexpand output | dedup output | table output

View solution in original post

Anantha123 · ‎11-19-2019

Hi,

To combine all fields in to 1 , you can try below query

| eval output=(mvappend(field1, field2, field3, field4, field5, field6, field7, field8, field9, field10)) | mvexpand output | dedup output | table output

kamaleshwar · ‎11-22-2019

This worked, thanks a lot.

kamaleshwar · ‎11-20-2019

The output should not be the concatenated value of all field values, It should unique value only. Because I need to compare each value with other events values to get the matched one using the same value in different activities and get them out from that.

richgalloway · ‎11-19-2019

Can you show some example events and the expected output?

---
If this reply helps you, Karma would be appreciated.

kamaleshwar · ‎11-20-2019

My log would have multiple user ids: userid1: "value"; userid2: "value" and so on. Here I need to get the userid value and compare it with other events to identify the same user id has been used in different activities/ multiple times.

The output would be like:
User ID Activity Count(Activity)

Let me know if this is helpful.

Multi Field values into Single field value

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023