I'm having problems with getting all the values to display when using this:
|stats count, values(host) as Host, list(Time1), list(Time2) by devtype
It shows me a count of all the hosts for each devtype. There can be hundreds of hosts for each devtype, so it's only displaying the first 100 results for the Time1 and Time2 fields which I know is a limitation for
list but I can't use
values for the time fields because there can be duplicate values and won't work.
Anyone have a suggestion for another way of getting everything to display??
Not quite what I'm looking for. I'm trying to get each unique devtype to display once and show all the hosts within that location and the times for each host - only there's hundreds of hosts for each devtype:
devtype host time1 time2
Dell host1 10:00:00 11:00:00
HP host2 10:00:00 10:30:00
host3 12:00:00 13:00:00
host4 12:30:00 14:00:00
IBM host5 07:00:00 08:00:00
host6 07:00:00 08:00:00
This isn't quite what I'm looking for.
This results with the devtype being listed for every host. I'm trying to show each devtype once and then show each host and the times for each host.
Give this a try
your base search |stats count latest(Time1) as Time1 latest(Time2) as Time2 by devtype host | stats sum(count) as count list(host) as Host list(Time1), list(Time2) by devtype