So when I run the following search, 'event_name' returns a list of all event_name values which match the `coalesce(src_ip,host_ip)`. The output looks to be a python unicode list. i.e. : `[u'itemnumber1',u'itemnumber2','itemnumber3']` etc.
sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None |
eval src_ip = coalesce(src_ip,host_ip) |
table msg, src_ip, dst_ip, dst_port, event_name, risk
How would i make this so each `'itemnumber(n)'` would return a new row, or pretty formatting so that its more readable?
↧