Search String
index=myindex sourcetype=mysourcetype | rex "\.(?<host_domain>.+)$" field=host | lookup host_domain Domain AS host_domain OUTPUT Market System "System Name" | search assetId=1111111111111 | stats values(System) as Systems values(provider) as Provider values(providerId) as ProviderID values(createTime) as ProvisionTime values(Licensing_Window_Start) as Window_Start values(Licensing_Window_End) as Window_End values(opState) as OpState by assetId product | eval ProvisionTime=strftime(ProvisionTime,"%m/%d/%y %H:%M:%S")
createTime
Values Count %
1446874404 4 80%
1446874403 1 20%
Host Count
Values Count %
Host01 1 20%
Host02 1 20%
Host03 1 20%
Host04 1 20%
Host05 1 20%
The results looks like
assetId product Systems Provider ProviderID ProvisionTime Window_Start Window_End OpState
AAA ABC host01 ABCD ABCDE 11/07/15 00:33:23
host02 11/07/15 00:33:24
host03
host04
host05
What I am looking for is for the results to look like, even if the values in ProvisionTime are the same
assetId product Systems Provider ProviderID ProvisionTime Window_Start Window_End OpState
AAA ABC host01 ABCD ABCDE 11/07/15 00:33:23
host02 11/07/15 00:33:23
host03 11/07/15 00:33:23
host04 11/07/15 00:33:23
host05 11/07/15 00:33:24
