Hello,
I have two searches that use transactions to get part of a table of results that I want.
Firstly,
index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "*sample*" | transaction instance | fields instance, application, config | fields - _time
This brings me a table, eg
App1 Result1 Result2 exampletext Result3 App2 Result4 A text Result5 b Result6 c
And a second, which produces similar for a different sourcetype
index="ems" sourcetype="factoryconfig" | search NOT "" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance
App1 Connection1 details Connection2 details Connection3 details App2 Connection4 details Connection5 details Connection6 details
What i want to do, is join the two searches
index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance [search index="ems" sourcetype="factoryconfig" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance]
To get a table such as
App1 Result1 Connection1 - url - type Result2 exampletext Connection2 - url - type Result3 Connection3 - url - type App2 Result4 A text Connection4 - url - type Result5 b Connection5 - url - type Result6 c Connection6 - url - type
But, when I do a join, it messes up the formatting and i get this, ie it gets rid of my nice formatting. Does anyone know why?
App1 Result1 Result2 example text Result3 Connection1 - url - type Connection2 - url - type Connection3 - url - type App2 Result4 A text Result5 b Result6 c Connection4 - url - type Connection5 - url - type Connection6 - url - type
Hi Hazel, it seems like you lost the "multivalue" property for those fields. Have you tried to force a:
... | makemv delim="<proper delimiter>" factoryconfig | makemv delim="<proper delimiter>" config
at the end of the search string? You might have to cook a delimiter into the original fields to be able to split them at the end of the search string.
I was able to obtain a messed up table as in your example with this query:
index="test" earliest=-10d
| rex field=source "(?<path>(\w+\\\\)+)"
| bucket _time span=10m
| transaction path
| fields host, path, source
| fields - _time
| join s max=0
[search index="test" earliest=-10d
| rex field=source "(?<path>(\w+\\\\)+)"
| rex field=source "(?<filename>[^\\\\]+)$"
| bucket _time span=10m
| transaction path
| fields host, path, source, filename
| fields - _time]
And was able to restore the multivalues by appending this at the end:
... | table host source path filename
| makemv delim=" " source
| makemv delim=" " filename
Hope that helped you out a bit
index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance [search index="ems" sourcetype="factoryconfig" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance]
Can you add to your post the search that you are using to do the join. I see the two base searches, but there could be an issue with how you are using the join
search command that would help reveal the issue.
Hazel, is this still an open issues for you? I don't fully get what you are asking, but I'm wondering if your Using Multiple stats list question was part of the answer to this question as well.
Hi, yes I was still hoping for an answer for this one - might raise a support case. In this one, I get the data fine, but the question is to do with the formatting. As you can see in my two separate searches, it is formatted nicely on multiple lines, but when I join the searches, you lose this feature.