![]() ![]() This is how I thought it would be created: eval NewValue (FirstValue.60)+ (SecondValue.40) I've verified that: stats values (FirstValue) and. Ive had the most success combining two fields the following way eval CombinedName Field1+ Field2+ Field3 If you want to combine it by putting in some fixed text the following can be done eval CombinedNameField1+ Field2+ Field3+ 'fixedtext' +Field5,Ive had the most success in combining two fie. 60 then add that to another field that has been multiplied by. ![]() I'm trying to take one field, multiply it by. For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 evaluation functions. I have been unable to add two field values and use the new value of a new column. In other words, I cannot see why your original code shouldn't work. The following list contains the functions that you can use to compare values or specify conditional statements. Putting these two together, I get emulated result that is exactly like you wanted: Percentage % Using the first table to reverse engineer the output from index="myindex" sourcetype="hamlet" environment=staging | top 10 client, I write the following emulation: | rename client AS "Users", count AS "Requests", percent AS "Percentage %" Index="myindex" sourcetype="hamlet" environment=staging Additionally, I need to append a semi-colon at the end of each field. displayMessage 'User single sign on to app') OR. I have four fields: SignatureName, VendorSignature, IncidentDetailURL, AnalystAssessment that I need to concatenate into one field (single string) called Event Detail. Have you tried this indexxyz sourcetypeOkta ( (eventTypeuser. I interpret this as the 2nd scenario in my previous post. when user is on on-prem you will see only one event. My initial idea was to have individual eventtypes for each operations value. Im trying to export each value of the operations field into distinct fields per value. There are 39 unique values, each with its own unique set of fields. ![]() Your original post also included commands that looks to be able to correctly make the change, something like Actually when user is on VPN you will see below events. The data in field AuditDatakeys in unique based on the values in a field called operations. The revised question does show a difference between actual output and desired output. The eval and where commands support functions, such as mvcount (), mvfilter (), mvindex (), and mvjoin () that you can use with multivalue fields. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |