I have a subseqrch to a join that returns a multivalued field. However, when that's put into a table in the parent search, it becomes a single value field... Just wondered why and how to deal with it
index=web (host=X cs_uri_stem=/login status=500) OR (host=Y cs_uri_stem=/subrequest)
| stats list(cs_uri_stem) as Path list(status) as Status count by Correlation_Id
| where count=2
| join Correlation_Id [ search index=application (Level=Error OR Level=Warning)
| stats values(Message) as Message by Correlation_Id | eval d=mvcount(Message) ]
| eval c=mvcount(Message)
| table Correlation_Id, Path, Status, Message, c, d
In the subsearch d is set to the count of the mv field items and is generally 2 or 3, but in the outer search c becomes 1 and the resultant text field is shown as a single piece of text with all messages concatenated.
How can I keep the mv field status from the subsearch. The outer search has no field called Message.
You are using a field that does not exist. Please review the search sentence.
| stats list(cs_uri_stem) as Path list(status) as Status count by Correlation_Id
⇒Correlation_Id,Path ,Status ,count
| join Correlation_Id [ search index=application (Level=Error OR Level=Warning)
| stats values(Message) as Message by Correlation_Id
⇒Correlation_Id ,Message
| eval d=mvcount(Template) ]
⇒Correlation_Id ,Message ※Template does not exist
| eval c=mvcount(Template)
⇒Correlation_Id,Path ,Status ,count ,Message ※Template does not exist
| table Correlation_Id, Path, TimeTaken, Status, Template, c, d
⇒Correlation_Id, Path, TimeTaken(※NULL), Status, Template(※NULL), c(※NULL), d(※NULL)
Duh - sorry - there was me trying to simplify the query from the original - only did half a job - basically Message was Template - hope that clarifies. Thanks for the pick