Hello,
I have the a search that is working and I get the desired output. Now I am trying to make the output "prettier". Basically I want to group the username field so that it only displays once in the table and the second ipAddr field would be combined with each result in a vertical group. Hope that makes sense
The current output looks like
username1 ipAddr1
username1 ipAddr2
username2 ipAddr3
username2 ipAddr4
The desired output would be
username1 ipAddr1
ipAddr2
username2 ipAddr3
ipAddr4
The simpler way to accomplish almost the same thing (if it's just for presentation purposes) is;
... | stats values(ipAddr) by username
that's it.
The values(field)
function give you the distinct values for the field.
The list(field)
function would give you all values for the field (including duplicates).
/K
I was able to figure it out from another users question but posting answer here in case someone else needs it
.... | streamstats current=f last(username) as previousUsername | eval username=if(match(username,previousUsername),"",username)| fields - "previousUsername" | table username ipAddr