Table additional field after stats command

marco_massari11 · ‎11-30-2020

Hi,

I have a query:

index="cisco" hostname=* (cat_name=passed OR cat_name=failed) type="Ethernet"
| eval site=case(substr(NetworkDeviceName,1,7)=="mysite",substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4),1=1,substr(NetworkDeviceName,1,7) )
| stats count by site mac_address cat_name type
| eval type_cat_name=type."_".cat_name
| eval site_mac=site."_".mac_address
| xyseries site_mac type_cat_name count
| rex field=site_mac "(?<site>.*)_(?<mac>.*)"
| search "Call Check_CISE_Failed_Attempts">=1 AND "Call Check_CISE_Passed_Authentications"="NULL" AND "Framed_CISE_Failed_Attempts"="NULL" AND "Framed_CISE_Passed_Authentications"="NULL"
| chart dc(mac) As Endpoints by site

So the result is a column chart that shows for each site the count of mac address that correspond to the search condition. Now if I want to click on a column I go to another dashboard for the specific site and for the mac address I need additional fields to show in a table like site, mac_address, port, interface. I tried to add this field in the by clause after stats but it seems doesn't work.

Have you any suggestions?

Table additional field after stats command

chart

drilldown

form

panel

token

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation

Table additional field after stats command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.