I have a handful of fields that I've extracted from the raw event data using the
rex function. Now that I have these fields, I've applied some stat grouping and counting to them, but I'm unable to properly display additional fields without grouping on them.
The stats line looks like this:
| stats values(problem) AS prob count by problemType problemLocation . That line produces a table that holds a problemType in the first column, the problem location in the second column, and a list of unique problems that are of that problemType and were caused at that problemLocation in a third column, given by the
Each event only has 1 value for
prob in this third column, and also only 1 value for another field
X. I'm now trying to display, in a fourth column, values of this
X field that match up in the same row with the displayed
prob values in the third column without having to group everything else by them.
Any help would be appreciated.
Give this a try
your current search with fields problemType promblemLocation problem x | eval problem=problem."##".x | stats count by problemType promblemLocation problem | table problemType promblemLocation problem | rex field=problem "(?<problem>.+)##(?<x>.+)" | stats list(problem) as problem list(x) as x by problemType problemLocation
@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in
prob. This is to say that if there are 3 values shown in the
probcolumn, then the adjacent column should display the 3 corresponding
x values. This should be possible because each event has only one
prob value and only one
I also apply
| eval prob=mvindex(prob, 0, 4) at the end to cut the output to only 5 values, although this is a slightly different situation.