my search query checks for the last 15m for each 5min interval Sample query:
index=XXXX sourcetype=XXX* env=XXX OR env=XXX "Continuation timed out" | bucket _time span=5m | timechart span=5m count AS Devices | eval inc_severity=case('Device'>=450, "3") | eval support_group=case('Device'>=450, "XXXXX") | eval dedup_tag=case('Device'>=450, "XXXXXX") | eval corr_tag=case('Devices'>=450, "XXXXXX") | eval event_status=case('Device'>=450, "1") | eval service_condition=case('Device'>=450, "1") | table sev event dedup corr support_group service_condition _time Devices | sort 3 - Devices | sort _time | where isnotnull('inc_severity') | where 'Devices'>450
based on above query my output is as follows
sev event dedup corr support_group service_condition _time Device 3 1 xxx xxx xxx 1 x 700 3 1 xxx xxx xxx 1 y 900 3 1 xxx xxx xxx 1 z 1000
but what i am trying to get the output as follows
sev event dedup corr support_group service_condition. _time Device 3 1 xxx xxx xxx 1 x,y,z 700,900,1000
Try adding this to the end of the query.
| stats values(_time) as _time, values(Devices) as Devices by sev event dedup corr support_group service_condition
| table sev event dedup corr support_group service_condition _time Devices
Try adding this to the end of the query.
| stats values(_time) as _time, values(Devices) as Devices by sev event dedup corr support_group service_condition
| table sev event dedup corr support_group service_condition _time Devices
Thank you it worked
Hi
You can try something like this:
| makeresults
| eval _raw = "sev event dedup corr support_group service_condition time Device
3 1 xxx xxx xxx 1 x 700
3 1 xxx xxx xxx 1 y 900
3 1 xxx xxx xxx 1 z 1000"
| multikv forceheader=1
| fields - _time _raw
``` above generate sample data ```
| stats values(*) as * by sev event dedup corr support_group service_condition
| eval Device = mvjoin(Device, ","), time = mvjoin(time, ",")
r. Ismo