Solved: eval condition help on manipulating a field which ...

pavanae · ‎11-12-2019

I have an eval condition in my query as follows

My_query | eval object=host." (".id.")"  | table host object

which gives me the null values on the object field as follows

host    object
abc

And reason for empty values in object field is that the id field has more than one value.

Now, how can display the object field values in case of multiple values for id field?

solarboyz1 · ‎11-12-2019

You could try the following:

Your_Query 
| mvexpand id
| eval object=host." (".id.")"  
| table host object

mvexpand expands the values of a multivalue field into separate events, one event for each value in the multivalue field.

solarboyz1 · ‎11-12-2019

You could try the following:

Your_Query 
| mvexpand id
| eval object=host." (".id.")"  
| table host object

mvexpand expands the values of a multivalue field into separate events, one event for each value in the multivalue field.

eval condition help on manipulating a field which has multiple field values?