fieldA is the extracted field already available
fieldB is eval field
| eval fieldB=*
| where fieldA=fieldB
Here im trying to match all values of fieldA. above command is not working
where as if i give
| eval fieldB=test
| where fieldA=fieldB
then it matches fieldA with value test
Im trying to do something complex , this is the part where i am stuck
The eval command treats the asterisk character as multiplication.
If your task is complex I recommend regular expressions, for example to match everything:
... | eval fieldB=".*" | where match(fieldA, fieldB)
To match "test":
... | eval fieldB="^test$" | where match(fieldA, fieldB)
The eval command treats the asterisk character as multiplication.
If your task is complex I recommend regular expressions, for example to match everything:
... | eval fieldB=".*" | where match(fieldA, fieldB)
To match "test":
... | eval fieldB="^test$" | where match(fieldA, fieldB)
Just as an FYI, you don't need to call format
at the end of a subsearch, because it will be called implicitly anyway.
I prefer using your way. its faster 🙂
thank you for the tip. I actually wrote a subsearch to achieve it !!!!
[search |stats count |eval fieldA= if("APP"=="APP","*","test") | fields fieldA| format]