Hello, I have the following search
index=wineventlog EventCode=4728 OR EventCode = 4731 OR EventCode=4729 OR EventCode=4732 OR EventCode=4756 OR EventCode=4756 NOT src_user=*$
| rename src_user as admin, name as action
| table admin, Group_Name, user_name
This spits out output like this:
admin Group_Name user_name
adminx GroupA UserA
adminx GroupB UserA
adminx GroupC UserA
adminy GroupD UserB
adminy GroupE UserB
adminy GroupF UserC
adminy GroupF UserD
I'm trying to combine them into a single message that looks like this:
admin Group_Name user_name
adminx GroupA,GroupB,GroupC UserA
adminy GroupD,GroupE UserB
adminy GroupF UserC,UserD
What would be the best way to achieve that?
| stats values(Group_Name) as Group_Name by admin user_name
| eval Group_Name=mvjoin(Group_Name, ",")
| stats values(user_name) as user_name by admin Group_Name
| eval user_name=mvjoin(user_name,",")
That worked perfectly, thank you!
| stats values(Group_Name) as Group_Name by admin user_name
| eval Group_Name=mvjoin(Group_Name, ",")
| stats values(user_name) as user_name by admin Group_Name
| eval user_name=mvjoin(user_name,",")