Search String
index=myindex sourcetype=mysourcetype | rex "\.(?<host_domain>.+)$" field=host | lookup host_domain Domain AS host_domain OUTPUT Market System "System Name" | search assetId=1111111111111 | stats values(System) as Systems values(provider) as Provider values(providerId) as ProviderID values(createTime) as ProvisionTime values(Licensing_Window_Start) as Window_Start values(Licensing_Window_End) as Window_End values(opState) as OpState by assetId product | eval ProvisionTime=strftime(ProvisionTime,"%m/%d/%y %H:%M:%S")
createTime
Values Count %
1446874404 4 80%
1446874403 1 20%
Host Count
Values Count %
Host01 1 20%
Host02 1 20%
Host03 1 20%
Host04 1 20%
Host05 1 20%
The results looks like
assetId product Systems Provider ProviderID ProvisionTime Window_Start Window_End OpState
AAA ABC host01 ABCD ABCDE 11/07/15 00:33:23
host02 11/07/15 00:33:24
host03
host04
host05
What I am looking for is for the results to look like, even if the values in ProvisionTime are the same
assetId product Systems Provider ProviderID ProvisionTime Window_Start Window_End OpState
AAA ABC host01 ABCD ABCDE 11/07/15 00:33:23
host02 11/07/15 00:33:23
host03 11/07/15 00:33:23
host04 11/07/15 00:33:23
host05 11/07/15 00:33:24
Hi dasveruckte,
If you'd like a list of all values instead of unique values, you can use list() in place of values()
Hi dasveruckte,
If you'd like a list of all values instead of unique values, you can use list() in place of values()
That works thanks!!
Format doesn't look good here is another version.
Systems createTime
host01 11/07/15 00:33:23
host02 11/07/15 00:33:24
host03
host04
Looking for
Systems createTime
host01 11/07/15 00:33:23
host02 11/07/15 00:33:23
host03 11/07/15 00:33:23
host04 11/07/15 00:33:24