Hello,
I'm new here, tried to find the answer for my problem by failed. I'm looking for a method to extract values from 2 different events. These events have some common fileds but I'm not interested in them being part of output.
My events have following fields (there are more, but these I would like to operate on):
EventID=10001
time=_time
user=mike
vlan=mikevlan
EventID=10002
time=_time
user=mike
L2ipaddress=1.2.3.4
What I'm looking at as a result is a table with a combined results from vlan and L2ipaddress columns for which user and time matches then I need to have a list of all vlans grouped by L2ipaddress
1.2.3.4|mikevlan,tomvlan,anavlan
1.2.3.5|brianvlan,evevlan
etc
Any ideas?
| stats values(vlan) as vlan values(L2ipaddress) as L2ipaddress by _time user
| stats values(vlan) as vlan by L2ipaddress
| eval vlan=mvjoin(vlan,",")
| stats values(vlan) as vlan values(L2ipaddress) as L2ipaddress by _time user
| stats values(vlan) as vlan by L2ipaddress
| eval vlan=mvjoin(vlan,",")
ITWhisperer - wow! that worked. And the solution is even easier than I thought. I'm greatly appreciated!