show multiple fields in table after using a mvexpand in a query


Hi I am looking at data which includes a field with multiple lines of values. For instance:

$name$, $products$, $country$


an example of an event:

Peter Thompson

windows 10
office 2017
adobe reader 9



What I am trying to achieve is a table like:
name products country
Peter Thompson Windows 10 Germany
Peter Thompson Office 2017 Germany
Peter Thompson Adobe Reader 9 Germany


To do this I am using mvexpand on the products field which gives me the separated products and sorts them by rarity. I cannot however seem to create a table after that which pulls back the other values such as the name and country. It appears that after the mvexpand or the rare functions, all other fields are lost.


My query:

index=data sourcetype=stuff | mvexpand products | rare limit=10 products | eventstats count AS total by products, name | table count, name

The problem is that the rare command returns only the relevant fields.

Here's one way

index=data sourcetype=stuff 
| mvexpand products 
| appendpipe [| rare limit=10 products | eval myflag="keepme"]
| stats count AS total values(myflag) as myflag values(country) as country by products, name 
| where myflag="keepme"
| fields - myflag
| eval total = total - 1

The last line is subtracting the 1 record added by the appendpipe.

Thank you. I have tried that. Unfortunately whatever gets a "keepme" flag still looses all the other field values along the way...

