Table additional field after stats command

marco_massari11 · ‎11-30-2020

Hi,

I have a query:

index="cisco" hostname=* (cat_name=passed OR cat_name=failed) type="Ethernet"
| eval site=case(substr(NetworkDeviceName,1,7)=="mysite",substr(NetworkDeviceName,1,7) + substr(NetworkDeviceName, -4),1=1,substr(NetworkDeviceName,1,7) )
| stats count by site mac_address cat_name type
| eval type_cat_name=type."_".cat_name
| eval site_mac=site."_".mac_address
| xyseries site_mac type_cat_name count
| rex field=site_mac "(?<site>.*)_(?<mac>.*)"
| search "Call Check_CISE_Failed_Attempts">=1 AND "Call Check_CISE_Passed_Authentications"="NULL" AND "Framed_CISE_Failed_Attempts"="NULL" AND "Framed_CISE_Passed_Authentications"="NULL"
| chart dc(mac) As Endpoints by site

So the result is a column chart that shows for each site the count of mac address that correspond to the search condition. Now if I want to click on a column I go to another dashboard for the specific site and for the mac address I need additional fields to show in a table like site, mac_address, port, interface. I tried to add this field in the by clause after stats but it seems doesn't work.

Have you any suggestions?

Table additional field after stats command

chart

drilldown

form

panel

token

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?