Comments and answers for "How do I pair two fields that came from the same event?"
https://answers.splunk.com/answers/687049/how-do-i-pair-two-fields-that-came-from-the-same-e.html
The latest comments and answers for the question "How do I pair two fields that came from the same event?"Answer by somesoni2
https://answers.splunk.com/answering/687090/view.html
Give this a try
your current search with fields problemType promblemLocation problem x
| eval problem=problem."##".x
| stats count by problemType promblemLocation problem
| table problemType promblemLocation problem
| rex field=problem "(?<problem>.+)##(?<x>.+)"
| stats list(problem) as problem list(x) as x by problemType problemLocationWed, 19 Sep 2018 17:55:53 GMTsomesoni2Comment by samsam48 on samsam48's comment
https://answers.splunk.com/comments/687088/view.html
@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in `prob`. This is to say that if there are 3 values shown in the `prob`column, then the adjacent column should display the 3 corresponding `x` values. This should be possible because each event has only one `prob` value and only one `x` value.
I also apply `| eval prob=mvindex(prob, 0, 4)` at the end to cut the output to only 5 values, although this is a slightly different situation.Wed, 19 Sep 2018 17:37:33 GMTsamsam48Comment by richgalloway
https://answers.splunk.com/comments/687888/view.html
Does `| stats values(problem) AS prob values(x) as x count by problemType problemLocation` not give the desired results?Wed, 19 Sep 2018 15:21:56 GMTrichgalloway