Hi
I extracted a multivalue field called error_number
which contains all errors in each event. I would like to make a search for those events in which the first field value(in error_number) that appear in the event is not equal to "23424". The error_number="23424"
could appear in the event, but it cannot be the first error_number
in the event.
This should work:
yoursearchhere
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"
This should work:
yoursearchhere
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"
Thank you. It worked perfectly.
Hi
Is there a way that I could get only the field values that happened before the field value, error_number=23424 ? For example I have the following errors in one event: 1002, 3450, 23424, and 34332. All of the errors are in the multi-value field error_number.
I would like to save only the field value, error_number=3450.
yoursearchhere
| eval index = mvfind(error_number,"23424")
| where isnotnull(index) AND index!=0
| eval new_error_number = mvindex(error_number,index-1)
If you actually want to set error_number
to the single value that preceded "23424", just change new_error_number
to error_number
Thank you. It worked perfectly. I appreciate your help.