Hi guys,
Looking for help framing a query for the following scenario:
index=index "designated field"
Events show the that there are multiple values for the field (these are log message types):
Type1
Type2
Type3
....
TypeN
Want to enumerate all of the fields that are associated with each: designated_field.TypeN (i.e. each log message type has sub-fields associated with each log message type.)
So for Type1:
Field1_Type1
Field2_Type1
Field3_Type1
for Type2:
Field1_Type1
Field2_Type2
etc.
======================================
So I am imagining my query goes like this:
index=index1 designated_field
| <enumerate each of the values in designated_field>
| <pull our the field names for each of the values that were enumerated>
| <form a table with a column listing the values and then a second column showing all of the field names associated with each value>
Hi ITWhisperer,
Thanks for taking the time to respond. I had thought I had responded to this, but it seems the forum ate my reply.
Mock Output:
_______________________________________________________________________________
Time Designated_Field Sub-Field Name
21:21 01 - Logon User
Host
Domain
21:22 02 - Logoff User
Host
Domain
21:23 04 - IP Address Assigned Host
Domain
NS Server
IP Type
_____________________________________________________________________________
NOTE: Designated_Field is a field, whose values are extracted and displayed per event, in the third column are the sub-field names associated with the values in the second column.
I am not sure I understand the ask here - please can you share some realistic events and a representation of your expected output. Please include the events in a code block </> to preserve the formatting of the events.
Hi ITWhisperer,
Thanks for engaging my question.
Reponse:
----------------------------------
Time | Designated_Field | Sub-Field
____________________________________________________________________________
21:23 01 - Logon User
Host
Logon Domain
21:25 02 - Logoff User
Host
Logon Domain
________________________________________________________________________________
So note that (01 - Logon, 02 - Logoff) are the values in the field: Designated_Field. By contrast, (User, Host, Logon Domain) are field names (like Designated_Field).