Solved: How do I change the output format of my search res...

SrinivasaC · ‎06-29-2015

Hi

Using the search below, I'm getting an output in the format below (A,B,C are headers):

A    B    C
------------------
46   23   34
46   23   45
46   23   67
46   56   26
46   56   48
46   56   16
56   12   21
56   12   43
56   12   54
98   29   67
98   29   98
98   29   64

But as per my client use, I need the output in the format below:

A      B      C
---------------------
46     23     34
              45
              67
46     56     26
              48
              16
---------------------
56     12     21
              43
              54
---------------------
98     29     67
              98
              64
---------------------

I have used stats, List, values, and transaction commands, but it didn't work.

Can I get any help?

Thanks in advance.

woodcock · ‎06-29-2015

This will do it:

 ... | stats list(C) AS C BY A B

View solution in original post

woodcock · ‎06-29-2015

This will do it:

 ... | stats list(C) AS C BY A B

SrinivasaC · ‎06-29-2015

What if I need all columns would display under one column?
means in output A , B and C should merged into one column as "A".

woodcock · ‎06-29-2015

Like this:

... | eval BandC = B . " " . C | stats values(BandC) AS "B C" by A

SrinivasaC · ‎06-29-2015

unable to format in html, last two rows would be display in "C" in each of the results.

How do I change the output format of my search results?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...