Hi,
Just as the question says. My current search results in something similar to this:
ip device
--------------------
111 workstation
--------------------
111 cell_phone
--------------------
111 router
--------------------
Running |dedup ip
deletes two entire rows without keeping all 3 device values. Instead, I'd like to have it merge the device
field into a multivalue field when duplicate ip
values are found like so:
ip device
--------------------
workstation
111 cell_phone
router
--------------------
What command(s) do I need to accomplish this?
stats command should work here
base search....
| stats values(device) as device by ip
stats command should work here
base search....
| stats values(device) as device by ip
Ah I was having a brain fart. This did the trick, thanks.
| stats values(device) as device by ip