I've got some data I'm matching with a rex akin to:
| rex max_match=5 field=_raw "(?<myvalue>\d{4})"
However, if my data looks like this:
name=Bill 1234 rhubarb 1234 5678 colour=green name=Dana 8273 apple 4428 8312 colour=purple
Then the match is finding 1234 twice and 5678 once for bill, and all three values for Dana.
What I'm after is a table of output that has something like:
name myvalue ---------------------------- Bill 1234 5678 Dana 8273 4428 8312
Right now I'm getting Bill's entry having 1234 listed twice...
name myvalue ---------------------------- Bill 1234 1234 5678 Dana 8273 4428 8312
I've found ways of doing this for a single combination of fields by using:
| chart values(myvalue) over name
But that doesn't work if I want to add a third field, such as colour:
name myvalue colour --------------------------------------- Bill 1234 5678 green Dana 8273 4428 8312 purple
Ideas?
I believe this is what you are looking for.
| stats values(myvalue) as MyValues, values(colour) as Colours by name
You could also use ...
| eval myvalue=mvdedup(myvalue)
...which will sort the multivalue field into order and dedup the results.