I need to make a table with some information from events.
my event looks like:
[timestamp][some info]
[function_name_1][id_1][param_1][result_1]
[function_name_2][id_2][param_2][result_2]
[function_name_3][id_3][param_3][result_3]
...
[function_name_n][id_n][param_n][result_n]
Because my regexp only found the first occurance of the fields(function_name,id,param,result) so I used MV_ADD for all multivalue fields and now it finds all occurences.
My table should looks like:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
2 |timestamp |some_info |function_name_2|id_2 |param_2|result_2
3 |timestamp |some_info |function_name_3|id_3 |param_3|result_3
4 |timestamp |some_info |function_name_4|id_4 |param_4|result_4
problem is with multivalue fields, for the last 4 column in one record I've got couple values and my table looks like:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1|param_1|result_1
| | |function_name_2|id_2|param_2|result_2
| | |function_name_3|id_3|param_3|result_3
| | |function_name_4|id_4|param_4|result_4
2 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
| | |function_name_2|id_2 |param_2|result_2
| | |function_name_3|id_3 |param_3|result_3
| | |function_name_4|id_4 |param_4|result_4
I read about mvexpand command but it doesn't work good with multiple multivalue fields.
after mvcommand for all multivalue fields I've got:
index |timestamp |some_info |function_name |id |param |result
1 |timestamp |some_info |function_name_1|id_1 |param_1|result_1
2 |timestamp |some_info |function_name_1|id_1 |param_1|result_2
3 |timestamp |some_info |function_name_1|id_1 |param_1|result_3
4 |timestamp |some_info |function_name_1|id_1 |param_1|result_4
5 |timestamp |some_info |function_name_1|id_1 |param_2|result_1
6 |timestamp |some_info |function_name_1|id_1 |param_2|result_2
7 |timestamp |some_info |function_name_1|id_1 |param_2|result_3
8 |timestamp |some_info |function_name_1|id_1 |param_2|result_4
9 |timestamp |some_info |function_name_1|id_1 |param_3|result_1
10 |timestamp |some_info |function_name_1|id_1 |param_3|result_2
11 |timestamp |some_info |function_name_1|id_1 |param_3|result_3
...
(n-1) |timestamp |some_info |function_name_4|id_4 |param_4|result_3
n |timestamp |some_info |function_name_4|id_4 |param_4|result_4
My last query looks like:
"table _time some_info function_name id param result | mvexpand function_name| mvexpand id|mvexpand param |mvexpand result"
Could any one help me with this situation.
Thanks,
Adrian.
I would try to use spath, output the result in a field, and do an mvexpand on that...
I'm not sure to understand your problem, I've done something similar with xml.
In your case, maybe you should extract all information as one field (lets say eField) " |function_name_1|id_1 |param_1|result_1", then mvexpand, and only after that, extract fields out of this eField
I have tried that. mvexpand is giving each field as one line as
P_NAME P_value
p1 m1
p2 m2
p3 m3
But I cannot figure out how to do one to one mapping of P_NAME and P_ID as I need to draw a chart like
chart first(P_value) over _time by P_NAME
Please help.
Thanks
Did You find any solution..Looks like nobody answering multiple multivalued field.I am stucked with the same.
Hi aadrian,
I am facing a similiar situation, have you got a solution to this?? even i am struggling to do the same.
Thnx