Hi,
I am using multiple sources in a single search command and i want to rename the _raw field of one of the source type.
My current search:
sourcetype="blacklisted ip" OR sourcetype="log" | rename _raw as blacklisted
I want to change the _raw field of blacklisted ip into blacklisted, and leave the _raw field of log as default.
Thanks a lot.