Hi Folks,
I want to merge two result values in a single field, which have the same name and to also rename the result values.
Please anyone help me out.
for Merging ex:-
NAS Type: Count
======== =====
Ethernet\ 10
Ethernet 10
wireless 20
wireless\ 20
What I need as table:
NAS Type: Count
======== =====
Ethernet 10
wireless 20
For renaming result fields:
Status Count
====== =====
Compliance 10
Unknown 20
What I need as table:
Status Count
====== =====
Compliance 10
Non-Compliance 20
Cheers,
Lenin Kp
An easy way to combine two fields is with concatenation and eval
. Something like this:
.. | eval "NAS Type: Count" = 'NAS Type:'." ".'Count'
An easy way to combine two fields is with concatenation and eval
. Something like this:
.. | eval "NAS Type: Count" = 'NAS Type:'." ".'Count'
kindly share the search providing the results you mention so we can better assist you
Hello Adonio,
Apologies for delay response!!
This is not a big query it's very common query.
I used below query:
"" index="cisco" sourcetype="cisco:ise:syslog" NAS_Port_Type!=NULL | timechart count by NAS_Port_Type |sort -_time ""
This query given the result which is written in my question .
NAS Type: Count
======== =====
Ethernet\ 10
Ethernet 10
wireless 20
wireless\ 20
What I need as table:
NAS Type: Count
======== =====
Ethernet 10
wireless 20
Cheers,
Lenin Kp
@leninkp3005
Can you please try this?
YOUR_SEARCH | rex mode=sed field=NAS_Port_Type "s/\\\//g" | dedup NAS_Port_Type
Thanks
Thanks., it works