Include AND/OR operator in Pivot query

null0 · ‎06-18-2018

Hi guys,
my problem is how to make working following query

| pivot Cisco_IOS_Event Cisco_IOS_Event count(host) AS "Count of host" avg(severity_id) AS "Average of severity_id" count(Cisco_IOS_Event) AS "Count of Cisco IOS Event" SPLITROW host AS host SORT 100 host ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 FILTER host is $host$

where $host$ refers to a field of a checkbox as

(host=10.29.28.) OR (host=10.29.72.)

i've no problem if network is only one, but AND or OR operator are making my head spinning 'cause not admitted if prefixed to PIVOT query.. "The pivot command can only be used as the first command on a search"

any idea abt how solve this?

many thx

renjith_nair · ‎06-25-2018

Hi @null0,

Try in in your filter

 | pivot Cisco_IOS_Event Cisco_IOS_Event count(host) AS "Count of host" avg(severity_id) AS "Average of severity_id" count(Cisco_IOS_Event) AS "Count of Cisco IOS Event" SPLITROW host AS host SORT 100 host ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 FILTER host in $host|s$

And set the token so that the values are in a format (value1,value2,value3,etc)

Reference : http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Pivot#Descriptions_for_filter_elem...

---
What goes around comes around. If it helps, hit it with Karma 🙂

null0 · ‎06-25-2018

guys! no idea how to solve this?

Please

Include AND/OR operator in Pivot query

(host=10.29.28.) OR (host=10.29.72.)

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk