Hi,
I have a field alert which contains the following events:
“Failed Logon”
“Dropped Database”
However, sometimes the source application adds the string “Multiple - “ before it. Hence when running stats I end up with results like:
“Failed Logon” 9
“Multiple - Failed Logon” 1
“Dropped Database” 2
“Multiple - Dropped Database” 3
I am looking for way to remove the string “Multiple - ” from the event field. The results should look like
“Failed Logon” 10
“Dropped Database” 5
Appreciate your help!
You need the replace
command:
| replace "Multiple - *" with "*" in alert