Yes, that's the idea. If you want to use request_path_in_request as you orginally do, you can do | eval request_path_in_request = mvjoin(mvindex(request_path_in_request, 0,3), "/") But doing so would be less semantic. Personally, I often assign modified values back to original field name. But that's only when the modification do not considerably alter the semantic meaning of the original field name. (I did use | eval request_path_in_request = split(request_path_in_request, "/") in my illustration.)
... View more
