Solved: Re: How to extract multivalue field values without...

lpolo · ‎08-31-2016

I would like to extract the key=value pairs found in a multivalue field, but without doing mvexpand mvfield.

Note: the multivalue field is created with the split command.

For instance result set after split command:

|eval mvfield=split(mvfield,"&")

Result:

timestamp mvfield=(k1=v1, k2=v2, k3=v3...,kn=vn)

desired result set without using mvexpand:

 timestamp (k1=v1, k2=v2, k3=v3,...,kn=vn

Thanks,
Lp

sundareshr · ‎08-31-2016

Have you looked at extract? Try this

base search | extract pairdelim="&" kvdelim="=" | ...

sundareshr · ‎08-31-2016

Have you looked at extract? Try this

base search | extract pairdelim="&" kvdelim="=" | ...

lpolo · ‎08-31-2016

Yeah. I forgot about the extract command. It does the trick.

thanks,
Lp

sundareshr · ‎08-31-2016

Please accept the answer to close it out.

How to extract multivalue field values without using the mvexpand command?