Converting from multiline field in table of result...

joy76 · ‎03-07-2013

search 1 :
index=web_access_log
| stats values(src_ip) as web_src_ip, count by dst_ip

search1's results :

web_src_ip dst_ip

123.123.123.123 111.111.111.111
234.234.234.234

345.345.345.345

search 2 :
index=web_access_log
| stats values(src_ip) as web_src_ip, count by dst_ip
| geoip dst_ip

search2's results

web_src_ip dst_ip dst_ip_country_name

123.123.123.123 234.234.234.234 345.345.345.345 111.111.111.111 country_name

After applying geoip command, the result of search2 shows in single-line form.
However, what I really wanted to show is to use geoip to result in multi-line form.
So, any suggestion? How can that be done?

sideview · ‎03-07-2013

geoip is a python command and I think it can be tricky to get a python command to handle multivalue fields correctly. This might be thus a problem in geoip, but I don't know for sure. At any rate, you can cheat!

use streamstats to paint a row number, use mvexpand to blow out the N x mv fields into N rows of single value fields, wash through geoip, then do stats values by rowIndex to compact it back into your mv form.

index=web_access_log 
| stats values(src_ip) as web_src_ip, count by dst_ip
| streamstats count as rowIndex
| mvexpand web_src_ip
| geoip dst_ip
| stats values(web_src_ip) as web_src_ip values(dst_ip) as dst_ip values(dst_ip_country_name) as dst_ip_country_name by rowIndex

You can strip off the last few pipes and run it pipe by pipe and that'll help you understand how it works.