Hi
I have data in 3 sourcetypes where all fields named differently. I need to combine it to show in one table. Can you please help me to do this?
Sourcetype 1: fields HostName and ReportingTime
Sourcetype 2: fields MachineName and LastReported
Sourcetype 3: fields Host and time.
I want to have the following: Hostname (combined list from 3 sources) and 3 fields with different times in one row.
Can you please help me with query or functions which will help me to do this?
I resolved this simply using append command, joining data and renaming fields.
I resolved this simply using append command, joining data and renaming fields.
Try this!
(your search)|eval Hostname=case(sourcetype=="Sourcetype 1",HostName,sourcetype=="Sourcetype 2",MachineName ,sourcetype=="Sourcetype 3",Host)|stats first(ReportingTime) as ReportingTime,first(LastReported) as LastReported,first(time) as time by Hostname