In logs we have a value "device=xyz,1" here we need to consider "xyz,1" as a single value and display it in a table format. But now when we run a query it just displays device value as "xyz" and misses out ",1". how to consider it as a single value.
Query example: ....|eval device = if(isnull(device), "notFound", device) | table device
from above query
Expection:
Table should have column name as device and value should be "xyz,1"
What is actually happening:
Table has column name as device but value is "xyz"
I have tried mvjoin but it's not helping.
Please suggest a solution
You may need to custom-extract the value (until you can get the sourcetype's props.conf and transforms.conf updated).
Something like this should work:
<search>
| rex field=_raw "device=(<device>\S+)"
<rest of search>