Here is a sample of my event:
The key is repeated multiple times but it may have different values. The order is guaranteed.
How can I create a graph based on these events?
Hi apple4life,
you can achieve this in a search by using this nice eval
feature shown in this run everywhere command:
| gentimes start=-1 | eval type="time1", value="100" | eval {type}=value | table time*
It will use the value of the field type
as new field name and the value of the field value
as its value.
You can do the same in props.conf
and transforms.conf
as well:
props.conf
[sourcetype here]
REPORT-getmynewfields = getmynewfieldsformmydata
transforms.conf
[getmynewfieldsformmydata]
REGEX = type=([^,]+),\svalue\s=\s([^,]+)
FORMAT = $1::$2
This will do the same based on the regex.
The configs must be placed on the search head, because it is a search time field extraction.
Hope this helps ...
cheers, MuS
Hi apple4life,
you can achieve this in a search by using this nice eval
feature shown in this run everywhere command:
| gentimes start=-1 | eval type="time1", value="100" | eval {type}=value | table time*
It will use the value of the field type
as new field name and the value of the field value
as its value.
You can do the same in props.conf
and transforms.conf
as well:
props.conf
[sourcetype here]
REPORT-getmynewfields = getmynewfieldsformmydata
transforms.conf
[getmynewfieldsformmydata]
REGEX = type=([^,]+),\svalue\s=\s([^,]+)
FORMAT = $1::$2
This will do the same based on the regex.
The configs must be placed on the search head, because it is a search time field extraction.
Hope this helps ...
cheers, MuS
Try this
| rex max_match=0 "type=(?<type>[^\,]+)" | rex max_match=0 "value\s=\s(?<val>[^\,]+)" | eval z=mvzip(type, val) | mvexpand z | rex field=z "(?<type>[^\,]+)\,(?<val>.*)" | stats avg(val) as value by type
Just thought of one more approach
... | extract mv_add=t pairdelim="," kvdelim="=" | eval z=mvzip(type, value) | mvexpand z | rex field=z "(?<type>[^\,]+)\,(?<val>.*)" | stats avg(val) as value by type
This happens when it takes you too long to type an answer 😉 meanwhile someone else comes up with one 🙂