Just add this to your existing search:
... | transpose | rename column AS Hash_type "row 1" AS values
Give this a try
index= bigfix sourcetype = software |stats values(md5) as md5 by sha256 | eval temp=1 | untable temp HASH_TYPE HASH | fields - temp
If you want to merge all values for a particular HASH_TYPE, try this
index= bigfix sourcetype = software |stats values(md5) as md5 by sha256 | eval temp=1 | untable temp HASH_TYPE HASH | stats values(HASH) as HASH by HASH_TYPE
I am getting below output when executing this query
index=res sourcetype=res_auth_file_hashes | eval HASH_TYPE = case(len(HASH)=64,"sha256", len(HASH)=32,"md5") | stats values(HASH) as HASH by HASH_TYPE
Output
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
00BB8079A7A4DA87FE5CEBFD3E34864B
00FD993D5756CBB66326895778869269
Desired Output
md5 005ECF2A6C557DDCEC50E8BF5627BA9C
md5 00BB8079A7A4DA87FE5CEBFD3E34864B
md5 00FD993D5756CBB66326895778869269
Use | transpose | rename column as HASH_TYPE | rename row* as HASH_VALUES*
at the end of your search
Thanks, this query works partially, renaming row* AS HASH_VALUEs* is creating multiples rows
Current output after executing the above query
Hash_type row1 row2
sha256 0002b43ce3...... 00053ae8...
md5 5f149df4c6..... db0f55d89......
Desired output
Hash_type HASH_VALUES
sha256 0002b43ce3......
00053ae8...
md5 5f149df4c6.....
db0f55d89......
Should I use mvcombine to get the desired output, please suggest?
HASH_type and HASH_VAlues are 2 different rows under which Sha256 and md5 comes as HASH_type and their corresponding values.
Can you share your current search? Typically, something like this should work...
.... | stats values(values) as values by Hast_type
Current search : index= bigfix sourcetype = software |stats values(md5) by sha256
sha256 md5
000sadasd asdasdasdsad
235asddas dasda232wded
Desired output
Create a new column HASH_TYPE and HASH
HASH_TYPE HASH
sha256 000sadasd
235asddas
md5 asdasdasdsad
dasda232wded
You can do:
| stats values(md5) AS HASH by sha256 | rename sha256 AS HASH_TYPE
Do you already have the HASH_TYPE and HASH fields extracted? If not, can you share some sample data?