Solved: How to keep field names with mvaprend function?

woodentree · ‎02-10-2020

Hello,

In Enterprise Security's Asset Center I'd like to create a new field called "Comment". The goal is to fill it with different information like serial number, OS, installation status, etc.

The goal is to make it looks like this:

Install Status: Preproduction
OS: Microsoft Windows Server 2019
Serial Number: ABCD1234

To keep field names I tried to use an eval function below:

| eval comment="Install Status: " . install_status  . ",OS: " . os . ",Serial Number: " . serial_number
| rex mode=sed field=comment "s/,/\n/g"

But unfortunately some of field values could be null which makes the final value of "Comment" field equal null (even if other fields are not empty). To avoid that I replaced eval with mvapprend:

| eval comment=mvappend(install_status, os, serial_number)

It helps to solve the null value issue, but now I have no idea how can I keep the field's name.

Could you please help me to find a workaround?

Thanks for the help.

to4kawa · ‎02-10-2020

your search
| rename another_fields as _another_fields
| foreach * [ eval comment=mvappend(comment,"<<FIELD>>",<<FIELD>>)]
| rename _another_fields as another_fields

before foreach, The rest of three fields(install_status, os, serial_number) rename _field name
and then, rename again.

View solution in original post

to4kawa · ‎02-10-2020

your search
| rename another_fields as _another_fields
| foreach * [ eval comment=mvappend(comment,"<<FIELD>>",<<FIELD>>)]
| rename _another_fields as another_fields

before foreach, The rest of three fields(install_status, os, serial_number) rename _field name
and then, rename again.

woodentree · ‎02-11-2020

Thanks for the help @to4kawa !

How to keep field names with mvaprend function?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms