Hello!
I am having a problem with this query:
index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1]
When I look a the result of the query, the FIELD2 is not multivaluate, it is composed of a single line with space between the values, instead of a multivalued field.
If I run the search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1
(without the join), I get the correct result, which is a multivaluate FIELD2.
It seems like the join command is somewhat interfering with the properties of the fields?
Does anyone have a clue on what's going on?
Thanks!
Guilhem
Try this query it might work fine for you case:
(index=myIndex) OR
(index=myOtherIndex)
| stats
first(_time) as _time
values(FIELD2) as FIELD2
dc(sourcetype) as dc by FIELD1|search dc=2
Try this query it might work fine for you case:
(index=myIndex) OR
(index=myOtherIndex)
| stats
first(_time) as _time
values(FIELD2) as FIELD2
dc(sourcetype) as dc by FIELD1|search dc=2
I can't remember where this search is, but I am now using this solution:
index=myIndex
| join FIELD1 max=0 [search index=myOtherIndex | stats values(FIELD2) as FIELD2 by FIELD1 ]
| eval FIELD2 = split(FIELD2, " ")
because split creates a multivalued field by splitting FIELD2 using the given delimiter (here it is the space character)
It is far from efficient but it works. I am sure it is possible to update it to a more efficient version thow
@guilhem
can you post your solution? I am facing the same problem.
I really appreciate your reply
Thanks
Thanks for the tip, I have finally done it in another way.