I'm sure there's a really easy answer, but it isn't coming to me so I'd greatly appreciate some help.
If I define a saved search test as:
| makeresults | eval foo="cat", bar="dog", baz="moose" | fields $fields$
Then it works as expected with `savedsearch` (returns fields `foo` and `bar` or `bar` and `baz`), but fails with the map command (it returns one field `foo bar` or `bar baz`)
Saved Search Examples:
| savedsearch fields="foo bar"
Returns the fields `foo` and `bar`
| savedsearch fields="bar baz"
Returns the fields `bar` and `baz`
Map
| makeresults
| eval fields="foo bar"
| map test
Returns the field `foo bar` (which is empty) instead of the fields `foo` and `bar`
| makeresults
| eval fields="foo baz"
| map test
Similarly returns field `foo baz` instead of the fields `foo` and `baz`
Not surprisingly, if I specify one field it does work:
| makeresults
| eval fields="foo"
| map test
I'm sure this is something really simple, but the solution just isn't coming to me.
↧