Basically, what I do is extracting the first 3 characters of the host field and show it in a separate field called Place. Now what I want to show is just records having different values in the same event and not show those records that have same value. Any help is appreciated. Thank you.
| stats list(host) AS host, list(Place) AS place by ip
IP host place
10.10.20.30 dalerf01 dal
dalerf02 dal
30.60.40.50 houl548 hou
grfd548 grf
Try something like this
your base search which gives host, Place, ip | dedup ip Place | stats list(host) AS host, list(Place) AS place by ip
Try
| stats values(host) AS host, values(Place) AS place by ip
OR
Try dedup
command
your search |dedup IP host place