oh wow, that took me some time to understand it entirely. I like it! ... View more

Really nice solution @tiago. 6 years later I could additionally mention that you can now use the foreach command to loop through the mv-fields to avoid the mvexpand. Here is my example in case you want to compare the mv-fields bi-directional: | makeresults | eval F1=split("a,b,c,z",","),F2=split("a,b,c,d",",") | foreach mode=multivalue F1 [ eval only_in_F1 = mvsort(if(isnull(mvfind(F2,<<ITEM>>)),mvappend(<<ITEM>>,only_in_F1),only_in_F1)) ] | foreach mode=multivalue F2 [ eval only_in_F2 = mvsort(if(isnull(mvfind(F1,<<ITEM>>)),mvappend(<<ITEM>>,only_in_F2),only_in_F2)) ]   ... View more

Hey guys, I just stumbled over the same issues. Besides remembering the WEC Host name I wanted to have a field with the original (custom) Channel Name. After some playing around I got this config on my indexers and it seems to work fine for me. props.conf   [WinEventLog:ForwardedEvents] TRANSFORMS-change_host_for_windows_wef = WinEventRememberHost, WinEventHostOverride [XmlWinEventLog:ForwardedEvents] TRANSFORMS-change_xml_host_for_windows_wef = WinEventRememberHost, WinEventXmlHostOverride [(?::){0}WinEventLog:*] TRANSFORMS-1-SaveOrigChannel = WinEventSetOrigChannelName [(?::){0}XmlWinEventLog:*] TRANSFORMS-1-XmlSaveOrigChannel = WinEventSetOrigChannelName   transforms.conf   [WinEventHostOverride] DEST_KEY = MetaData:Host REGEX = (?m)ComputerName=(.*)?\b FORMAT = host::$1 [WinEventXmlHostOverride] DEST_KEY = MetaData:Host REGEX = <Computer>(.*).*?<\/Computer> FORMAT = host::$1 [WinEventRememberHost] SOURCE_KEY = MetaData:Host REGEX = host::(.+) FORMAT = host_UF::$1 WRITE_META = true [WinEventSetOrigChannelName] REGEX = WinEventLog:(.*) SOURCE_KEY = MetaData:Source FORMAT = original_channel::$1 WRITE_META = true   ... View more