Hi,
The search I have returns two events.
One event has the following field:
patches{}.name - This is patches that are to be installed
The other has:
policies{}.packages{}.name - This is patches that failed to install
My search is as follows:
index=main sourcetype=_json id=712803
| rename policies{}.packages{}.name AS "Failed to install", patches{}.name AS "Patches to be installed"
| table name, "Patches to be installed", "Failed to install"
And this returns the following:
name | Patches to be installed | Failed to install |
LP-USER-01096 | Google Chrome Microsoft OneDrive | |
LP-USER-01096 | Microsoft OneDrive Google Chrome |
But what I really want is the following:
name | Patches to be installed | Failed to install |
LP-USER-01096 | Google Chrome Microsoft OneDrive | Google Chrome Microsoft OneDrive |
Is there a way I consolidate these results onto one row so it looks like the above?
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name
Got it in one!
Showing the results exactly as I want them. Thanks for your help.