Hi
From the search, I get the field file_path. I have to differentiate the events based on the file path.
file_path= file:_C:\users........
and file=file:_D:\.......
, how to write eval function to differentiate this?
Search I'm using :
index=abc|eval title=if(file LIKE "C:\", "Normal", "USB or External Media")
Try using match()
index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")
With you can use either LIKE function or match function to do regular exp based matching (and wild carding).
index=abc|eval title=if(like(file_path"C:\%"), "Normal", "USB or External Media")
index=abc|eval title=if(match(file_path,"^C:"), "Normal", "USB or External Media")
Try using match()
index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")