Hello,

Thank you for your answer, I will you explain my case better.

I have two CSV file with csv file A where the content is some CVE vulnerability by ip server and the second CSV file B where the content is the list of our server where is mentionned the server owner etc. 

I want to show on the dashboard the Owner, name server, CVE, IP ect. 

In the csv file A the Owner is not associed with the IP server so I did an variable "ip" to merge the data from both CSV and get the owner associed with the IP with "transaction"

(index="A" AND (Risk=$Risk$))OR(index="B" AND ("Deployment State"=Production))| eval ip_extracted=if(cidrmatch("Network",extracted_Host), "ipok", "noip") | eval ip_servers=if(cidrmatch("Network",NIC__1__IPAddress__1), "ipok", "noip") | eval ip=if(match(ip_servers, "ipok"),NIC__1__IPAddress__1, extracted_Host)  | transaction ip  | table  Owner ip Risk Name Description Solution "CVSS v2_0 Base Score" "CVSS v3_0 Base Score" OperatingSystem | where  Risk!="NULL" |search Owner=$Owner$ ip=$ip$

Now my problem is that each events sorted by ip are merged in my dashboard, I want that each event is shown independently by ip like as shown below because I want to add an check case where the owner can check if the event has been done or not and actualy it's not possible because each events are merged

My English is not good so I don't know if you have understand what I mean ?

Regards,

Give this a try

(index="A" AND (Risk=$Risk$))OR(index="B" AND ("Deployment State"=Production))
| eval ip_extracted=if(cidrmatch("Network",extracted_Host), "ipok", "noip") 
| eval ip_servers=if(cidrmatch("Network",NIC__1__IPAddress__1), "ipok", "noip") 
| eval ip=if(match(ip_servers, "ipok"),NIC__1__IPAddress__1, extracted_Host)  | fields  Owner ip Risk Name Description Solution "CVSS v2_0 Base Score" "CVSS v3_0 Base Score" OperatingSystem 
| stats values(*) as * by ip | where  Risk!="NULL" |search Owner=$Owner$ ip=$ip$

Hi,

thx for your reply but the result it's same, all events are merged