We have the following working query -
(index=wineventlog sourcetype=WinEventLog NOT ("xxxx" OR "yyyy")
src_ip IN (<mulitple IPs>)) OR (index=checkpoint
dst IN (<mulitple IPs>) action=Accept )
| eval destination_ip = coalesce(<one name>,<second name>)
| transaction destination_ip maxpause=60s
Both index=wineventlog
and index=checkpoint
have a src
field.
Where can we rename it? because we end up after the transaction
command with two src
fields.
You can rename the field any time after the first pipe. Of course, that will rename the field from both indexes. To rename only one index, you'll need to split the base query, do the rename, then combine them with append
.
You can rename the field any time after the first pipe. Of course, that will rename the field from both indexes. To rename only one index, you'll need to split the base query, do the rename, then combine them with append
.
Thank you @richgalloway.
The developer did | eval src-{index} = src
which generated the src-wineventlog
and src-checkpoint
fields. She is happy ; -)
If your problem is resolved, please accept the answer to help future readers.