Okay, reporting back. Your advice was sound. I managed to drop the mvexpand all together by substituting in this bit of logic at the end. | stats values(dhcp_host_name) as Hostname values(Switch...
See more...
Okay, reporting back. Your advice was sound. I managed to drop the mvexpand all together by substituting in this bit of logic at the end. | stats values(dhcp_host_name) as Hostname values(Switch) as Switch values(Port) as Port values(ip_add) as IP_Address values(mac_add) as MAC_Address list(session_time) as session_time by Session_ID, Auth
| eval Time=mvmap('session_time', if(substr('session_time', 1, len('Session_ID'))=='Session_ID', substr(session_time, len('Session_ID')+2), null()))
| table Time Hostname IP_Address MAC_Address Switch Port Auth
| sort -Time Just so you have an example of what my data might look like for one event. Session_ID= "7D5A007C1B294E" session_time= "7D5A007C1B294E,2025-02-11 12:56:51" "9DE81CAB15DD46,2025-02-06 15:22:13" By using mvmap, I itterate through session_time and check each value to find which equals that events Session_ID. Then I extract the Time field from that value.