Hi,
I'm trying to take filds from different events and put them in one table column. I've true this using the rename command, however, only the first rename files as SocialMediaPost it matched.
index="mail" (text!='' OR status!='' OR comment_text!='' OR message!='') | rename text as SocialPostData status as SocialPostData comment_text as SocialPostData message as SocialPostData | table URL User SocialPostData
Any help, much appreciated!
Scott-
Hmm... you might be looking for this:
... | eval data = coalesce(text, status, comment_text, message) | fields - text status comment_text message
That will take the first value that isn't null
and write it into the data
field.
That is perfect. Thank you!
Now - 4 column of data.
It's+all+good.
This.%20Is.%20Awesome%21%21
please%20do%20tell%2C%20soon!
more%20random
tweeted
tweeteed
Test%20mobile%0A
this%20is%20comment%20data
tweeter
missing
It's+all+good.
This.%20Is.%20Awesome%21%21
please%20do%20tell%2C%20soon!
more%20random
tweeted
tweeteed
Test%20mobile%0A
this%20is%20comment%20data
tweeter
What output are you getting now, and what does your desired output look like?