I have a search that uses streamstat to create a field called "answer" and "frequency" for each resulting event. Each of these events has another field, called "app", which is the applicaction that generated that event. I also use "dedup" command to get only the last event generated by each application, resulting in something like this:
app=APP1;anwser=123;freq=159 app=APP2;anwser=456;freq=77 app=APP3;anwser=789;freq=44 app=APP4;anwser=112;freq=332
I want to create a simple table that has as columns the name of the application (from the "app" field) and as values (lines) of the table, the answer and the freq, like this:
APP1 APP2 APP3 APP4 answer 123 456 789 112 freq 159 77 44 332
What I've done so far is this:
mysearch | table answer,frequency | transpose | rename "row 1" as APP1, "row 2" as APP2, "row 3" as APP3, "row 4" as APP4
Which does the trick, but would be perfect if I could rename the automatically created rows by the transpose command with the values of the "app" field.
Is it possible to do that or is there a better way to create such table?