Support a command like this:
sourcetype="ms:o365:management AzureActiveDirectory | jmespath output="Actor.Type[*]" "unroll(Actor, 'Type', 'ID')"
Right now this works, but it creates a field with double quotes around it. DOH! We also want to be able to support fields that could contain a whitespace character (event though that's bad form).
The current workaround is follow this up with an extra rename operation, which shouldn't be necessary.
Support a command like this:
Right now this works, but it creates a field with double quotes around it. DOH! We also want to be able to support fields that could contain a whitespace character (event though that's bad form).
The current workaround is follow this up with an extra
renameoperation, which shouldn't be necessary.