i have corelight events which has id.orig_h ,id.resp_h etc fields , but when i try to rename them using eval src_ip=id.orig_h… it doesnt work , the RENAME fucntion works though, I dont want to use rename because i dont want to lose original fields , i also cant use corelight pack because it is also using rename , how can i rename without losing original field???
Question
eval is failing to rename field
i have corelight events which has id.orig_h ,id.resp_h etc fields , but when i try to rename them using eval src_ip=id.orig_h… it doesnt work , the RENAME fucntion works though, I dont want to use rename because i dont want to lose original fields , i also cant use corelight pack because it is also using rename , how can i rename without losing original field???
I don’t think you can use an eval with a nested field like that. Or better, it depends. If you have a JSON string you need to parse it and then do the eval.
Could you trying using the value expression like __e['id.orig_h'] instead of just id.orig_h?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.