Hi, I am looking to merge 2 values of a multi valued fields and put it in a table. For example my current query is extracting data like this -
Now if you see 1st and 2nd row are actually same event because the description tag which i am extracting comes twice sometimes.
I have tried combining them using mvcombine and nomv but then how would i extract _time fields as well.
Query -
index=my_prod source="/var/log/test.txt" mywebservice (error OR exception OR critical OR failure)
| rex field=_raw "description>(?[^<]+)" max_match=2
| stats count by Exception
| sort - count
| mvcombine delim=" | " Exception
| nomv Exception
What i want to do is also add _time field in the table and that event should come as a single row with count as 1.
Let me know if someone can help.
...
| stats min(_time) as _time values(Exception) as Exception
| eval Exception=mvjoin(Exception,"|")
please use code sample
and check your post.