Use of Project with nested fields
I have a field that is nested. I can search with the full name without an issue but when I try to use it with project, I do not get any values back. I have tried to wrap the field with single and double quotes. That results in the value for the field to be the name of the field.
The goal is to get a list of all the different values of the payload.comment.commentID field. What do I need to do to use the payload.comment.commentID field?
dataset="MyDataSet" sourcetype="MySourceType" payload.comment.commentID=* | project payload.comment.commentID
Best Answer
-
this is known and it’s getting addressed. One way around it for now is to assign it a different name e.g.,
... | project foo=payload.comment.commentID0
Answers
-
this is known and it’s getting addressed. One way around it for now is to assign it a different name e.g.,
... | project foo=payload.comment.commentID0