Solved: Expand multivalue field to show subtotals.

jdlocklin526 · ‎04-03-2020

Hi Everyone,

I have a query that produces table 1 below.

| from inputlookup:"incident.csv" | where caused_by >= " "
| stats count values(caused_by) by assignment_group

I'd like to make the table more useful by reflecting it as table 2 and 3.

I tried :
| from inputlookup:"incident.csv" | where caused_by >= " "
| stats count values(caused_by) by assignment_group
| mvexpand values(caused_by)

but it did not give the desired results.

Any help would be appreciated.

to4kawa · ‎04-03-2020

| from inputlookup:"incident.csv" 
| where caused_by >= " "
| stats count by assignment_group caused_by
| stats list(caused_by) as caused_by list(count) as count sum(count) as "total team x team" by assignment_group

View solution in original post

to4kawa · ‎04-03-2020

| from inputlookup:"incident.csv" 
| where caused_by >= " "
| stats count by assignment_group caused_by
| stats list(caused_by) as caused_by list(count) as count sum(count) as "total team x team" by assignment_group

jdlocklin526 · ‎04-04-2020

Thank you. That works perfectly.

Expand multivalue field to show subtotals.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?