My data fields is in below table format:
**-----------------------------monitoringData---------------------------key---------------------value**
documentStatus":null,"timestamp":1533032713303}------deliverableType-------null
documentStatus":null,"timestamp":1533032713303}------docType----------------564_AD
documentStatus":null,"timestamp":1533032713303}------acProgram------------432_CE
documentStatus":null,"timestamp":1533032713303}------docId--------------------RR
documentStatus":null,"timestamp":1533032713303}------revisionDate----------14018752
documentStatus":null,"timestamp":1533032713303}------deliverableType-------234
documentStatus":null,"timestamp":1533032713303}------docType----------------3572_BzW
documentStatus":null,"timestamp":1533032713303}------deliverableType-------4516
documentStatus":null,"timestamp":1533032713303}------acProgram-------------432_DE
----------
But my **Requirement** is:
**-----------------------------monitoringData---------------------------deliverableType-------------------------docType**
documentStatus":null,"timestamp":1533032713303}-------null--------------------------------------------564_AD
documentStatus":null,"timestamp":1533032713303}-------4516------------------------------------------3572_BzW
documentStatus":null,"timestamp":1533032713303}-------234--------------------------------------------
----------
Below is my search query:
sourcetype="adns" | rex max_match=0 field=monitoringData "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table monitoringData key value
----------
Any help would be appreciated.
Thanks.
hi @dhirendra761
try this below query
| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key
If it is helped ypu please accept as a anser 🙂
@dhirendra761 is there any reason why you are not splitting events with timestamp as individual events before indexing? You can avoid creating multi-valued field and then splitting them into individual events at Search Time (which to me is just surplus overhead which can be avoided).
hi @dhirendra761
try this below query
| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"] |table monitoringData key value |chart values(value) over monitoringData by key
If it is helped ypu please accept as a anser 🙂
@harishalipaka
yesss. its working ...Thank you very much..
Another alternative option is using xyseries command (useful when you don't to apply any aggregation using chart command)
| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="deliverableType",value="null" |append [| makeresults |eval monitoringData="documentStatus:null,timestamp:1533032713303}" ,key="docType",value="564_AD"]
|table monitoringData key value
| xyseries monitoringData key value