Archive

How to combine information to a list

Explorer

Hello,

I have a query to get the following lines:
element ID value temp (wanted)
ABC 1 false "false false false true true false"
ABC 4 true "false false false true true false"
ABC 2 false "false false false true true false"
ABC 3 false "false false false true true false"
ABC 5 true "false false false true true false"
ABC 6 false "false false false true true false"

Sort by ID and get their values list "false false false true true false" to a variable .
index="x" sourcetype="y"

| sort 0 element ID
| streamstats list(value) AS temp by element

How can I make the last list "false false false true true false" to temp as above?

Thanks

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

try this:

index="x" sourcetype="y"
| sort 0 element ID
| eventstats list(value) AS temp by element

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

try this:

index="x" sourcetype="y"
| sort 0 element ID
| eventstats list(value) AS temp by element

View solution in original post

0 Karma