HelloI have a log like this:ABC=true,DEF=false,GHI=false,JKL=trueI want to show only ABC and JKL in the result,because these are having value as true.Result should be like below
ABCJKL
index=_internal | head 1 | fields _raw| eval _raw="ABC=true,DEF=false,GHI=false,JKL=true"| rename COMMENT as "this is sample"
| kv| eval col="1"| table col *| untable col field value| where value="true"
That is not a static log,it is dynamic logABC=TRUE or FALSE depend upon Source The ABC value may differ so if the value of ABC=TRUE then we have to show ABC in result other wise No.
Hi @vinod0313 ,@to4kawa's option is dynamic like that. You only need the part starting with | kvThe lines above were just to make up some sample data.You can change ABC to ACB or ACAB or whatever your data will have - only the ones with "true" as value will be listed. Give it a try 🙂BRRalph
