Hey everyone,
So this feels like something I should be able to do with the standard search language, but I am failing at it.
I have a result, coming from a custom command, that contains field like this:
entries.0.category\_name, entries.1.category\_name,...,entries.n.category\_name
I would like to take all of these and either create a multi-value field with all of the values in them, or create just one string joining all of the values of entries.*.category_name together, with a comma.
I want something like:
| eval mvjoin(entries.*.category_name, ",")
But Splunk does not like that.
Any thoughts?
Thanks,
Dave