Stitching all Search (stats) Fields into new_raw F...

ssteinmann · ‎05-16-2019

Hi all,

i tried get rid of my workaround solution with adding

| collect index=test testmode=true

to my searches. The above command is creating a _raw Field with all Fields from my (stats) search, so i didnt need to specify all my fields to a new aggregated one. I need all Fields=Value Pairs in one Field because i set up a alert action for each saved_search and with an standard field $result._raw$ it's easier to apply this to many Searches(250+).

Aggregating with collect:

| makeresults count=2
| eval src="1.1.1.1", dest="10.10.10.10", dest_port="123", eventCount=random()
| eval eventDetails="Source=" . src . " " . "Destination=" . dest . " " . "Port=" . dest_port . " " . "eventCount=" . eventCount
| collect index=test testmode=true

Aggregating with foreach:

| makeresults count=2
| eval src="1.1.1.1", dest="10.10.10.10", dest_port="123", eventCount=random()
| eval eventDetails="Source=" . src . " " . "Destination=" . dest . " " . "Port=" . dest_port . " " . "eventCount=" . eventCount
| eval x_raw=""
| foreach * [ eval x_raw="<<FIELD>>"+"="+'<<FIELD>>' + ", " + x_raw]

my x_raw field contains the fields twice, i was not able to get a result like a _raw Field from my "| collect" workaround.

x_raw=src=1.1.1.1, eventDetails=Source=1.1.1.1 Destination=10.10.10.10 Port=123 eventCount=607756396, eventCount=607756396, dest_port=123, dest=10.10.10.10, , src=1.1.1.1, eventDetails=Source=1.1.1.1 Destination=10.10.10.10 Port=123 eventCount=607756396, eventCount=607756396, dest_port=123, dest=10.10.10.10,

Any Ideas how to solve this?

Stitching all Search (stats) Fields into new_raw Field (need foreach assistance)

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms