I have asset management data that i need to create weekly reports.
When i make query for the data like query below:
index=a sourcetype=b
stats values(ip_addr) as ip by hostname
Result:
hostname ip
Host A 1) 10.0.0.0
2) 10.10.10.1
3) 10.0.0.2
Host B 1) 192.1.1.1
2) 172.1.1.1
i wanted the result not include the numbering in front of the ip address.
Please assist on this. Thank you.
I think you should remove numbering before stats. Can you please try this?
YOUR SEARCH
|rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)"
|stats values(ip) as ip by hostname
My Sample Search :
| makeresults
| eval _raw="hostname,ip_addr
Host A,1) 10.0.0.0
Host A,2) 10.10.10.1
Host A,3) 10.0.0.2
Host B,1) 192.1.1.1
Host B,2) 172.1.1.1"
| multikv forceheader=1
| table hostname,ip_addr
|rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)"
|stats values(ip) as ip by hostname
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
I think you should remove numbering before stats. Can you please try this?
YOUR SEARCH
|rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)"
|stats values(ip) as ip by hostname
My Sample Search :
| makeresults
| eval _raw="hostname,ip_addr
Host A,1) 10.0.0.0
Host A,2) 10.10.10.1
Host A,3) 10.0.0.2
Host B,1) 192.1.1.1
Host B,2) 172.1.1.1"
| multikv forceheader=1
| table hostname,ip_addr
|rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)"
|stats values(ip) as ip by hostname
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
Hi @kamlesh_vaghela, its work as expected. Thank you very much for your assist.