I have data that looks like this:
event,myField,myHost,myCategory
yes,a,host1,category1
yes,b,host1,category1
yes,c,host2,category1
yes,a,host2,category3
yes,b,host2,category2
Here's my search:
sourcetype="sourcetype1"| where event="yes" | eval aTotal=if(myField="a", 1, 0) | eval bTotal=if(myField="b", 1, 0) | eval cTotal=if(myField="c", 1, 0) | stats sum(aTotal) as A, sum(bTotal) as B, sum(cTotal) as C by "myHost"
So currently my output looks like this:
myHost, A, B, C
host1, 1, 1, 0
host2, 1, 1, 1
I'm looking to get output that looks like:
myHost, myCategory, A, B, C
host1, category1, 1, 1, 0
host2, category1, 0, 0, 1
host2, category2, 0, 1, 0
host2, category3, 1, 0, 0
Can anyone help?
... View more