Hi @chrisyoungerjds & @vishaltaneja07011993 ,

I understood the way which you guys are speaking about. I have already tried in the same way. I can see my field and their values, only if I use the "|table" command.

But we would like to see the same in the events too, as like "key-value" pair.

Any idea or way to achieve the same?

Try this:
| rex mode=sed "s/(\w+),(\w+),(\w+),(\w+.\w+),(\w+.\w+),(\w+.\w+)/Server=\1, OS=\2, Month=\3, Total_size=\4, avg_size=\5,max_size=\6/g"

You can add this search at index time or even at search time extraction in props.conf

Hi,

you can do this:

<your search> | format "" "" "" "" "" ""

and it will produce what you want.

Hi,

I guess both of your answers are similar. Instead of table command you are telling format command.
Actually I am aware that if I use those command, I can get the list of my values with their corresponding fields.
So the format you are suggesting is <basic search>|table <all fields> otherwise <basic search> | format "" "" ""
I am speaking about the indexed events, why it is not showing the field-value combination in each of the indexed event.
So if I run only my basic search like index=x souretype=y source=z, this will show the respective events.
So my events should look like
1. Server=prod_host_1,OS=Linux,Month=January,Total_size=650,avg_size=309.99,max_size=362.87
2. Server=prod_host_2,OS=Linux,Month=January,Total_size=700,avg_size=300.5,max_size=450

Why the events are not showing with this kind of field-value pairs by default.

HI.

Run your search, the do this:

1. Click "All FIelds" in the left pane.
2. Click "Select all within filter"
3. Make sure that you are in "Verbose" search mode and have selected "List" view type.
4. You should then see that you have the field pairs you want.

Good luck 🙂