I would like to condense this search output in order to see all Windows versions as "Windows" and all Mac versions as "Mac".
sourcetype="fire-ext_prd_app" NOT cv
| eval Mac = proctorCacheOS2
| eval Windows = proctorCacheOS
| spath output=proctorCacheOS path="msg0.OS"
| spath output=proctorCacheOS2 path="msg0.OS"
| search proctorCacheOS=Windows* OR proctorCacheOS2=Mac*
| top limit=50 proctorCacheOS
Add the eval statement that I added above your last line of the search.
sourcetype="fire-ext_prd_app" NOT cv
| eval Mac = proctorCacheOS2
| eval Windows = proctorCacheOS
| spath output=proctorCacheOS path="msg0.OS"
| spath output=proctorCacheOS2 path="msg0.OS"
| search proctorCacheOS=Windows* OR proctorCacheOS2=Mac*
| eval winmac=case(proctorCacheOS like "Windows%","Windows",proctorCacheOS like "Mac%","Mac")
| top limit=50 proctorCacheOS
sourcetype="fire-ext_prd_app" NOT cv
| spath output=proctorCacheOS path="msg0.OS"
| spath output=proctorCacheOS2 path="msg0.OS"
| eval winmac=case(proctorCacheOS like "Windows%","Windows",proctorCacheOS like "Mac%","Mac")
| top limit=50 winmac
I had to change a couple things but that worked! Thanks much!!
Add the eval statement that I added above your last line of the search.
sourcetype="fire-ext_prd_app" NOT cv
| eval Mac = proctorCacheOS2
| eval Windows = proctorCacheOS
| spath output=proctorCacheOS path="msg0.OS"
| spath output=proctorCacheOS2 path="msg0.OS"
| search proctorCacheOS=Windows* OR proctorCacheOS2=Mac*
| eval winmac=case(proctorCacheOS like "Windows%","Windows",proctorCacheOS like "Mac%","Mac")
| top limit=50 proctorCacheOS