Feature Request: by clause

[troyheady2]

It would be useful to maintain different trees if the data source contained many hosts or days.

can we add this as Option?

i think it would be easy as adding an extra level of dictionary for each byclause concatenated value (or maybe fast hash)

[murchisd]

Hey @troyheady2, great idea! I will try to implement this. In the meantime a quick and dirty way to do this is by adding the hostname in the child and parent fields. Example below

index=main source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 | rex field=ParentImage "\x5c(?[^\x5c]+)$" | rex field=Image "\x5c(?[^\x5c]+)$" | eval parent = ParentName." (".ParentProcessId."-".host.")" | eval child = ProcessName." (".ProcessId."-".host.")" | eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine | pstree child=child parent=parent detail=detail spaces=50