Table additional field after stats command

marco_massari11 · ‎11-30-2020

Hi,

I have a query:

index="cisco" hostname=* (cat_name=passed OR cat_name=failed) type="Ethernet"
| eval site=case(substr(NetworkDeviceName,1,7)=="mysite",substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4),1=1,substr(NetworkDeviceName,1,7) )
| stats count by site mac_address cat_name type
| eval type_cat_name=type."_".cat_name
| eval site_mac=site."_".mac_address
| xyseries site_mac type_cat_name count
| rex field=site_mac "(?<site>.*)_(?<mac>.*)"
| search "Call Check_CISE_Failed_Attempts">=1 AND "Call Check_CISE_Passed_Authentications"="NULL" AND "Framed_CISE_Failed_Attempts"="NULL" AND "Framed_CISE_Passed_Authentications"="NULL"
| chart dc(mac) As Endpoints by site

So the result is a column chart that shows for each site the count of mac address that correspond to the search condition. Now if I want to click on a column I go to another dashboard for the specific site and for the mac address I need additional fields to show in a table like site, mac_address, port, interface. I tried to add this field in the by clause after stats but it seems doesn't work.

Have you any suggestions?

Table additional field after stats command

chart

drilldown

form

panel

token

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

Table additional field after stats command