Hello after a search like this:
index=myindex|lookup mycsv.csv host_ip
I have the following output:
I would like to make it looks like this
assuming that the criticity is unique per host_ip regardless the number of time it appears.
Any help is welcome thanks.
Hi
Can you please try below search??
YOUR_SEARCH
| eval tempField=mvzip(mvzip(host_ip,branch),criticity)
| stats count by _time, tempField
| eval host_ip=mvindex(split(tempField,","),0),
branch=mvindex(split(tempField,","),1),
criticity=mvindex(split(tempField,","),2)
Thanks
Thank you all for your solutions.
I finally solved it by this command
index=myindex
| lookup mycsv.csv host_ip
| stats count by host_ip,branch,criticity
| fields -count
it is time consuming but it does the job!
Try this
index=myindex|lookup mycsv.csv host_ip
| mvexpand branch | eval criticity=mvdedup(criticity)
Hi
Can you please try below search??
YOUR_SEARCH
| eval tempField=mvzip(mvzip(host_ip,branch),criticity)
| stats count by _time, tempField
| eval host_ip=mvindex(split(tempField,","),0),
branch=mvindex(split(tempField,","),1),
criticity=mvindex(split(tempField,","),2)
Thanks
I think mvexpand
should do what you need. Here's some documentation on it:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Mvexpand
Try adding this to the end of your query:
| mvexpand branch