Re: Converting from multiline field in table of re...

joy76 · ‎03-07-2013

search 1 :
index=web_access_log
| stats values(src_ip) as web_src_ip, count by dst_ip

search1's results :

web_src_ip dst_ip

123.123.123.123 111.111.111.111
234.234.234.234

345.345.345.345

search 2 :
index=web_access_log
| stats values(src_ip) as web_src_ip, count by dst_ip
| geoip dst_ip

search2's results

web_src_ip dst_ip dst_ip_country_name

123.123.123.123 234.234.234.234 345.345.345.345 111.111.111.111 country_name

After applying geoip command, the result of search2 shows in single-line form.
However, what I really wanted to show is to use geoip to result in multi-line form.
So, any suggestion? How can that be done?

sideview · ‎03-07-2013

geoip is a python command and I think it can be tricky to get a python command to handle multivalue fields correctly. This might be thus a problem in geoip, but I don't know for sure. At any rate, you can cheat!

use streamstats to paint a row number, use mvexpand to blow out the N x mv fields into N rows of single value fields, wash through geoip, then do stats values by rowIndex to compact it back into your mv form.

index=web_access_log 
| stats values(src_ip) as web_src_ip, count by dst_ip
| streamstats count as rowIndex
| mvexpand web_src_ip
| geoip dst_ip
| stats values(web_src_ip) as web_src_ip values(dst_ip) as dst_ip values(dst_ip_country_name) as dst_ip_country_name by rowIndex

You can strip off the last few pipes and run it pipe by pipe and that'll help you understand how it works.

Converting from multiline field in table of result by stats values() to one line results after geoip... why?

web_src_ip dst_ip

345.345.345.345

web_src_ip dst_ip dst_ip_country_name

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability