Solved: Re: How do I Search a Multi-Value Field?

atebysandwich · ‎10-12-2023

I need to search a field called DNS_Matched, that has multi-value fields, for events that have one or more values that meet the criteria of the value ending with -admin, -vip, -mgt, or does not meet any of those three. How can I do that?

Example

DNS_Matched

host1
host1-vip
host1-mgt

host2
host2-admin
host2-mgmt
host2-vip

richgalloway · ‎10-12-2023

To work with multi-value fields, look to the mv* functions.

| eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0)

The mvfind function uses a regular expression to search an MV field for certain text. It returns NULL if the value is not found or an index into the field if it is found.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-12-2023

To work with multi-value fields, look to the mv* functions.

| eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0)

The mvfind function uses a regular expression to search an MV field for certain text. It returns NULL if the value is not found or an index into the field if it is found.

---
If this reply helps you, Karma would be appreciated.

atebysandwich · ‎10-12-2023

This helped a lot. Thank you!

How do I Search a Multi-Value Field?

eval

field extraction

fields

regex

stats

table

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms