I am trying to find a way to clean up the display of one of my searches. I use a lookup table to input a field from one of my search results (column A in my lookup table), and then output to a table to make the data easy to read (column B and C give a more high level description of column A). The problem I am having is that my lookup table looks like this:
A B C
1 1 one
2 1 one
3 1 one
4 2 two
5 2 two
6 2 two
I am basically inputting the value from my search which corresponds to column A, into the lookup table and trying to return the value from column C (assume "one" is a description for something). In this case, it is intentional that multiple items in the table can roll up into having the same description. The problem is, when I use the table function, it leaves me with results like this:
http://i.imgur.com/936hiWF.png
What I am trying to point out is it shows the same "description" multiple times because there is more than one entry in the lookup table that corresponds with the field value that I put in my lookup table (this is expected because the field I am trying to display is a "rollup" general description that multiple things can fall under.) If I try to dedup on the field that I only want to see one description of, it shortens my results but leaves the multiple duplicate descriptions. Since multiple fields can roll up and have the same exact description, I'd like the table to only show it once rather than multiple times since that makes it more confusing. So it should actually be something like this:
Here is a basic representation of what my search looks like:
"searchtext" source="mylog.log" | transaction maxpause=1s a, b, c, d | search value=1 value=2 eventcount=2 | where mvcount(field)=1 | where b!=0 | eval lookupfield=logfield | lookup my_lookup_table lookupfield | table _time, field1, field2, field3, field4, field5, field6, lookuptablefield, field7, field8
Maybe I am just using the table and dedup commands out of order? Or is there another function that would do a better job at this? I'm kind of stuck on needing the table command because I want the fields to be in a specific order.
... View more