Solved: Adding a field from one event to others

h2dennis · ‎11-19-2020

Let's say I have these events:

Index = A, Member = 1111, Cart Id = 1

Index = A, Member = 2222, Cart Id = 2

And these events DID NOT have a member ID field

Index = A, Associate = Bill, Cart Id = 1

Index = A, Associate = Carl, Cart Id = 1

Index = A, Associate = Rick, Cart Id = 2

I want to display this:

Associate Member

Bill 1111

Carl 1111

Rick 2222

How would I do that?

richgalloway · ‎11-19-2020

The stats command can group the events by Cart Id.

| stats values(*) as * by "Cart Id"
| mvexpand Associate
| table Associate Member

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎11-19-2020

The stats command can group the events by Cart Id.

| stats values(*) as * by "Cart Id"
| mvexpand Associate
| table Associate Member

---
If this reply helps you, Karma would be appreciated.

h2dennis · ‎11-19-2020

Thanks. It was really the mvexpand that I was looking for

Adding a field from one event to others