I have events that include an **application name** field and a **uservalue** field.
When i table the data by **application** and **uservalue**, i see each event individually thus meaning i get multiple pages of events with the same application name.
How can I have one entry for each **application name** and a multivalue field showing the **uservalues**?
EG: go from
application uservalue
app1 123456
app1 234567
app1 345678
app2 987654
app2 876543
app2 765432
and get :
application uservalue
app1 123456
234567
345678
app2 987654
876543
765432
It's probably something really easy, but I've stepped away from Splunk for awhile and forget even the easy stuff.
Thanks
↧