I have multiple single value number panels I want to combine into one table, I want my table to look somewhat like this:
I have these few searches as single panels that I want to put into the table, I also wanted to create a description spot for each of the single panels rows. I attempted to do this with Join then added an appendcols for the description but was unsuccessful any ideas?
|inputlookup blah.csv |search "Match on SCCM"=FALSE |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |table "SCCM Store" Store_Number Store_Desc "Match on SCCM" "Serial number" Mac_Address |stats count by "Match on SCCM" |stats sum(count)
|inputlookup blah.csv | search Status!="In use" |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "SCCM IP Address" as IP_Address| table Store_Number Mac_Address "IP_Address" "Status" |dedup Mac_Address |dedup "Store_Number" |stats count by "Store_Number" |stats sum(count) as count
|inputlookup blah.csv |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "Windows OS Version" as Windows_Version | search Windows_Version!=10.* | sort "Store_Number" - 0|table Store_Number Mac_Address "Windows_Version" |stats count by Windows_Version |stats sum(count) as count
Any ideas?
break this down:
|inputlookup blah.csv
combine all the | rename to one using commas
|rename "Assets Store #" as Store_Number, "Assets Store Desc" as Store_Desc, mac as Mac_Address, "SCCM IP Address" as IP_Address, "Windows OS Version" as Windows_Version
search for the events we want:
|search Windows_Version!=10.* OR Status!="In use" OR "Match on SCCM"=FALSE
count by the fields we need:
|stats count by Windows_Version "Store_Number" "Match on SCCM"
you can add the | sum(count) or maybe | table count depends on how you would like the results presented
hope it helps