Hi folks, [Current scenario] When a role is created with capabilities, I am receiving one event for the role creation and each added capability is generated as an event. For example, one role with five capabilities will produce six events in total with similar 'ID'.
Event for role created: 2023-04-20T16:08:05,290 INFO [ID] 1234567:user - Added IdentityType=Role Name=<Role Name>, ObjId=<Object Id>.
Events for capability added: 2023-04-20T16:12:07,020 INFO [ID] 1234567:user - Access Control change on ObjectType=<Object type>, Name=<Capability>, ObjId=<Object Id>. 2023-04-20T16:12:07,020 INFO [ID] 1234567:user - Access Control change on ObjectType=<Object type>, Name=<Capability>, ObjId=<Object Id>. 2023-04-20T16:12:07,020 INFO [ID] 1234567:user - Access Control change on ObjectType=<Object type>, Name=<Capability>, ObjId=<Object Id>. 2023-04-20T16:12:07,021 INFO [ID] 1234567:user - Access Control change on ObjectType=<Object type>, Name=<Capability>, ObjId=<Object Id> 2023-04-20T16:12:07,021 INFO [ID] 1234567:user - Access Control change on ObjectType=<Object type>, Name=<Capability>, ObjId=<Object Id>.
My SPL: index=test |eval Info=case(Type="Role" AND Action="Added",'User'." "."has created the role named ".'Name'." with the following capabilities: ".'Capabilities')
In the above I need the values of the five capability in the field(Capabilities).
[Requirement] Any idea on how to include all the capability based on ID into a field called 'Capabilities'? Note:I dont want to use 'stats values()' directly in my main search.
... View more