Hi,

I have the below search:

| tstats values(Authentication.src_ip) as src_ip values(Authentication.src_host) as src_host
from datamodel=Authentication.Authentication where Authentication.user=*
by Authentication.dest, Authentication.action, Authentication.user, Authentication.app | `drop_dm_object_name("Authentication")`
| stats count(eval(action=="failure")) as failure, count(eval(action=="success")) as success, dc(dest) as dest_count, values(src_ip) as src_ip, values(src_host) as src_host

The search will display values of certain fields from the Authentication data model. Two of the fields have multivalues stored in them - Authentication.src. and Authentication.src_host. Authentication.src_host is a calculated eval field of the datamodel that performs a dns lookup of the Authentication.src field (which is an IP address)

The problem Im having is that the stats values command will display columns of the values of these two fields in alphanumeric order when I run the above search. Which basically means that the src value will not be displayed inline with its correct corresponding src_host value. From below example, src_host value for 10.1.1.1 is actually chost, but a_host is displayed alongside it as it is sorted alphanumerically.

src             src_host

10.1.1.1   a_host

10.1.1.2   b_host

10.1.1.3   c_host

Is there a way I can output the values of the src_host field with its corresponding correct value for the src field?

Thanks!