An easy way to do that is concatenate the stuff you want to report on before the 'group by'. Since you don't provide any sample events, the example below uses web server logs, where yes/no of
fieldX is http
status 200 or 500,
sourcetype=access_combined status=200 OR status=500 | stats count by clientip status | eval cip = count . " - " . clientip | stats list(cip) as "count - ip" by status
Perhaps you can modify this to suit your needs.
A slightly different way is to make use of the
delta function to see when a a field value is the same as in the previous event. After setting the repeated value of your field to
null, you can remove the delta-field with the
sourcetype=access_combined status=200 OR status=500 | stats count by clientip status | delta status as ds | eval status = if(ds==0, null(), status) | fields - ds
If your 'fieldX' is non-numerical you'd need to make it so, e.g. with
replace just before the
sourcetype=my_sourcetype | stats count by fieldX name | replace "yes" with "1" in fieldX | replace "no" with "0" in fieldX | delta fieldX as dX | eval fieldX=if(dX==0, null(), fieldX) | fields - dX
The concatenation idea is a nice approach, but I'm already using this approach, so the row splits make the report readable.... (my query uses
stats list(field3) as Type list(field4) as Dollar by User in the example below):
"X Users" Joe $1223 typeA $23 typeC $12 -------------------------------- Pete $1034 typeA $29 typeB $49
So using a concatenation again will probably end up a little bit unreadable.
Thanks for the delta idea, I'll give it a go now.