Solved: search query with table.

kiran331 · ‎07-01-2016

Hi all, I have the fields unit, user, work from the result set:

unit      user     work 
   a     kiran        w
   b    splunk        x
   c       abc        y
   d      cdvv        z

I need these results into

      a          b           c         d
kiran-w    cdvv -z    splunk-x     abc-y

How to get this final table?

woodcock · ‎07-01-2016

Just add this to the end:

| eval value=user . "-" . work
| eval ThisFieldIsJunk="junk"
| chart values(value) BY ThisFieldIsJunk unit | fields - ThisFieldIsJunk

woodcock · ‎07-01-2016

Just add this to the end:

| eval value=user . "-" . work
| eval ThisFieldIsJunk="junk"
| chart values(value) BY ThisFieldIsJunk unit | fields - ThisFieldIsJunk

vishal_bandavad · ‎07-01-2016

Just need little correction in above query . i tried with following query

| eval value=user . "-" . work
| eval ThisFieldIsJunk="junk"
| chart values(value) over ThisFieldIsJunk  by unit unit | fields - ThisFieldIsJunk

Hope this would work

woodcock · ‎07-01-2016

These are exactly equivalent (two different command syntax forms that do exactly the same thing).

search query with table.