Hi Srinath,
Srinath USER1 IND0010001
USER2 IND0010002
USER3 IND0010003
how to convert above single row values to seperate rows like below
Srinath USER1 IND0010001
Srinath USER2 IND0010002
Srinath USER3 IND0010003
Thanks,
Srinath
Try this
index=test sourcetype=testuser | makemv delim="xFD" APPLICATION | makemv delim="xFD" COMPANY | makemv delim="xFD" FUNCTION | stats list(APPLICATION) as application, list(COMPANY_RESTR) as company, list(FUNCTION) as function by USER_NAME | eval temp=mvzip(mvzip(application,company,"#"),function,"#") | mvexpand temp | rex field=temp "(?<application>.*)#(?<company>.*)#(?<function>.*)" | fields - temp
I also need to do this..... would you please explain me the code I didn't understood.
What is APPLICATION, FUNCTION... and USER_NAME here ? and how does it works
It is fetching the first record for each user if any of the field which is used in the mvzip is null otherwise it is fetching all the records. It is working well if all the values present.
Thanks a lot.. it is working well
How did you get the results that you are showing? What was the original search string? What does the data look like? Without this information, I don't think the community can help much.
This is the search quiery
index=test sourcetype=testuser | makemv delim="\xFD" APPLICATION | makemv delim="\xFD" COMPANY | makemv delim="\xFD" FUNCTION | stats list(APPLICATION) as application, list(COMPANY_RESTR) as company, list(FUNCTION) as function by USER_NAME