Hi.
I need to use IP Address in iplocation, but O365 returns 2 different logs. one with "ClientIP" field and others with "ClientIPAddress" field.
The issue is that in the logs only one of them exist. If there was null value for one of them, then it would be easy, I would have just checked for null value.
Search looks like this:
mysearch
|eval IPs= if(ClientIP "exists", ClientIP, ClientIPAddress)
|iplocation IPs
|stats ...
I can't do the "ClientIP exists" part. maybe this is not correct and other approach should be used. Does anyone know the solution?
... View more