I need to search a field called DNS_Matched, that has multi-value fields, for events that have one or more values that meet the criteria of the value ending with -admin, -vip, -mgt, or does not meet any of those three. How can I do that?
Example
DNS_Matched |
host1 host1-vip host1-mgt |
host2 host2-admin host2-mgmt host2-vip |
To work with multi-value fields, look to the mv* functions.
| eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0)
The mvfind function uses a regular expression to search an MV field for certain text. It returns NULL if the value is not found or an index into the field if it is found.
To work with multi-value fields, look to the mv* functions.
| eval match=if(isnotnull(mvfind(DNS_Matched, "(-admin|-mgt|-vip)")),1, 0)
The mvfind function uses a regular expression to search an MV field for certain text. It returns NULL if the value is not found or an index into the field if it is found.