Re: Reference multiple fields into a single name

irkey · ‎08-26-2024

Is there a way to reference or combine multiple fields into a single name so that it can be referenced by that new name?

For example: somefield IN (a,b,c,d)

If I run a query for "somefield" I get "a", "b", "c", "d" returned.

I want to be able to refer to "somefield" by a single name. Is that possible?

So if run a query for "somefield", I would get the aggregate results of a,b,c,d ?

gcusello · ‎08-26-2024

you have two choices:

use a macro, as hinted by @KendallW ,

in this way if you created an evenntype called e.g. "somefield" containing somefield IN (a,b,c,d), you can call it using

eventtype=somefield

Ciao.

Giuseppe

irkey · ‎08-27-2024

Thank you, I will investigate this as well to see what works best.

gcusello · ‎08-27-2024

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

KendallW · ‎08-26-2024

irkey · ‎08-27-2024

Thank you, I will investigate this.

Reference multiple fields into a single name