You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like the props.conf is trying to transform OriginalFileName into file_name for all events. The issue I am seeing is with File Create events (event 11). Those events don't have a "OriginalFileName" field. They only have a "TargetFileName" field. So in the search looking for new file creates, the query uses "file_name" which is not found in event id 11. If I am not understanding this correctly, let me know. Just now starting to get familiar with the app. Thank you.
FYI, this seems to have fixed the issue for me. Not sure if this is the best solution:
Replacing
EVAL-file_name = coalesce(file_name,OriginalFileName)
With
EVAL-file_name = case(EventCode=="11",TargetFilename,EventCode!="11",coalesce(file_name,OriginalFileName))
The text was updated successfully, but these errors were encountered:
It looks like the props.conf is trying to transform OriginalFileName into file_name for all events. The issue I am seeing is with File Create events (event 11). Those events don't have a "OriginalFileName" field. They only have a "TargetFileName" field. So in the search looking for new file creates, the query uses "file_name" which is not found in event id 11. If I am not understanding this correctly, let me know. Just now starting to get familiar with the app. Thank you.
FYI, this seems to have fixed the issue for me. Not sure if this is the best solution:
Replacing
EVAL-file_name = coalesce(file_name,OriginalFileName)
With
EVAL-file_name = case(EventCode=="11",TargetFilename,EventCode!="11",coalesce(file_name,OriginalFileName))
The text was updated successfully, but these errors were encountered: