Solved: How do I go about merging two result values and re...

leninkp3005 · ‎10-15-2018

Hi Folks,

I want to merge two result values in a single field, which have the same name and to also rename the result values.

Please anyone help me out.

for Merging ex:-
NAS Type: Count
======== =====
Ethernet\ 10
Ethernet 10
wireless 20
wireless\ 20

What I need as table:
NAS Type: Count
======== =====
Ethernet 10
wireless 20

For renaming result fields:
Status Count
====== =====
Compliance 10
Unknown 20

What I need as table:
Status Count
====== =====
Compliance 10
Non-Compliance 20

Cheers,
Lenin Kp

richgalloway · ‎10-15-2018

An easy way to combine two fields is with concatenation and eval. Something like this:

.. | eval "NAS Type: Count" = 'NAS Type:'." ".'Count'

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-15-2018

An easy way to combine two fields is with concatenation and eval. Something like this:

.. | eval "NAS Type: Count" = 'NAS Type:'." ".'Count'

---
If this reply helps you, Karma would be appreciated.

adonio · ‎10-15-2018

kindly share the search providing the results you mention so we can better assist you

leninkp3005 · ‎10-22-2018

Hello Adonio,
Apologies for delay response!!
This is not a big query it's very common query.

I used below query:

"" index="cisco" sourcetype="cisco:ise:syslog" NAS_Port_Type!=NULL | timechart count by NAS_Port_Type |sort -_time ""

This query given the result which is written in my question .
NAS Type: Count
======== =====
Ethernet\ 10
Ethernet 10
wireless 20
wireless\ 20

What I need as table:
NAS Type: Count
======== =====
Ethernet 10
wireless 20

Cheers,
Lenin Kp

kamlesh_vaghela · ‎10-23-2018

@leninkp3005

Can you please try this?

YOUR_SEARCH | rex mode=sed field=NAS_Port_Type "s/\\\//g" | dedup NAS_Port_Type

Thanks

leninkp3005 · ‎10-23-2018

Thanks., it works

How do I go about merging two result values and renaming them?