I am attempting to create a new field in a search that pulls from other fields in order to automate the writing of a search query for another application.
the basic idea:
eval PCAP_Search=(( ipv4_initiator="src_ip" and port_initiator="src_port" and ipv4_responder="dest_ip" and port_responder="dest_port"))
with src_ip, src_port, dest_ip, dest_port being the other fields I am attempting to pull from.
I know I will have to escape the special characters and the ANDs, but have not been able to figure out how. The output of the field would ideally look like this:
(ipv4_initiator="172.168.0.1" and port_initiator="1234" and ipv4_responder="8.8.8.8" and port_responder="80")
I attempted escaping the characters individually with \, and escaping everything that is not the fields I'm trying to pull from with ' ', but run into the issue of the expression being malformed or the field I'm creating not having anything in it?
UPDATE first answer is not correct, I'm not trying to create multiple new fields, just one with containing a string that pulls data from 4 other fields
The
formatcommand will do that for you. Just populate the fields (or extract them from a search) and call|format.You also can do it manually using the concatenation operator, like this (remember, "AND" must be upper case).