I am trying to make a search parameters which can group the different parameters in a single column and display as multiple columns, for example, for server1, there can be lot of incidents with different severity values, for example
Server Name | Severity
Server1 | 1
Server1 | 2
Server1 | 3
This has to be be represented in this format
Server Name | Severity 1 | Severity 2 | Severity 3
Server1 | 10 | 5 | 4
Server 2 | 8 | 9 | 8
<your search> | chart count over "Server Name" by Severity
And if you really want to turn the severity values into "Severity 1" instead of just "1" in the columns:
<your search> | eval Severity="Severity " + Severity | chart count over "Server Name" by Severity
<your search> | chart count over "Server Name" by Severity
And if you really want to turn the severity values into "Severity 1" instead of just "1" in the columns:
<your search> | eval Severity="Severity " + Severity | chart count over "Server Name" by Severity
What is the format of your severity field, is it extracted ?
If you want to count the number of events per severity per host. you can try to collate the result of 3 searches, one per severity level.
* severity1 | stats count as severity1 by host | appendcols [ search * severity2 | stats count as severity2 by host ] | appendcols [ search * severity3 | stats count as severity3 by host ]
it is much better to just use the chart command.