Hi,
I'm using the transaction command to combine two different events into one larger event with the user_id as the key. This works. What does not work is when I try to table the data. I cannot get an eval'ed string field to display in the table after I concat (+) the user_id field onto the end of it.
Ex:
search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message
Message is completely blank! It's because of the addition of user_id, but I cannot figure why or how to make it work. If I put user_id in the table as its own column, that displays just fine. I understand user_id is a mv field at this point, but I've tried every eval mv field operator with no success. Nomv, mvjoin, mvindex etc.
Help!
edit: Also, if I do a nomv, mvjoin or mvindex on user_id and set that to a new field OR just blah=user_id, that new field is also blank if I put it in the table! If I use mvlist=t, then a | eval test=mvjoin(user_id, " and ")..... test shows "NULL and NULL" in the table.
... View more