We have devices that generate thousands of a particular entry. I created a daily search to summarize. I combined the src_int and dest_int into a single field labeled interfaces. What my boss wants is to see the total number of events per host, but only unique to the new field. The problem is he also wants to dedup the interfaces field even if the src_int and dest_int are reversed like this:
Here is the current search:
index=network sourcetype="cisco:ios*" (key_word="MAC_MOVE-SP-4-NOTIF" OR key_word="MAC_MOVE-SW1-4-NOTIF")
| eval Interfaces = src_int + "," + dest_int | table host, Interfaces | sort host | dedup Interfaces
What I need is to somehow dedup the "Interfaces" field even if the 2 fields that make up the eval are reversed. I then need to add a count of unique "Interfaces" entries per host after the dedup.
Thanks!
... View more