How-To: Add a single field to groupBy() results

When using groupBy() to aggregate data, you may also find yourself needing to include data from fields such as aid, aip, event_simpleName, etc. To accomplish this, you can use the stats() and collect() functions.

Below is an example demonstrating adding DomainName to the results of a groupBy() query where the data is grouped by ComputerName and FileName.

logscale

groupBy([ComputerName, FileName], function=collect(DomainName))

This example groups everything by unique pairs using ComputerName and FileName, then collects all DomainName values from each of the unique pairings.

The results look like this:

Knowledge Base

How-To: Add a single field to groupBy() results

Enter search term