Table additional field after stats command

marco_massari11 · ‎11-30-2020

Hi,

I have a query:

index="cisco" hostname=* (cat_name=passed OR cat_name=failed) type="Ethernet"
| eval site=case(substr(NetworkDeviceName,1,7)=="mysite",substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4),1=1,substr(NetworkDeviceName,1,7) )
| stats count by site mac_address cat_name type
| eval type_cat_name=type."_".cat_name
| eval site_mac=site."_".mac_address
| xyseries site_mac type_cat_name count
| rex field=site_mac "(?<site>.*)_(?<mac>.*)"
| search "Call Check_CISE_Failed_Attempts">=1 AND "Call Check_CISE_Passed_Authentications"="NULL" AND "Framed_CISE_Failed_Attempts"="NULL" AND "Framed_CISE_Passed_Authentications"="NULL"
| chart dc(mac) As Endpoints by site

So the result is a column chart that shows for each site the count of mac address that correspond to the search condition. Now if I want to click on a column I go to another dashboard for the specific site and for the mac address I need additional fields to show in a table like site, mac_address, port, interface. I tried to add this field in the by clause after stats but it seems doesn't work.

Have you any suggestions?

Table additional field after stats command

chart

drilldown

form

panel

token

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Table additional field after stats command