Hi,
There are two columns named Filename and Directory and I want to combine the values of the above said fields and display it as a single field.
Filename Directory File
abc /tmp/op /tmp/op abc
Method 1:
I used mvappend command to combine like eval File=mvappend(Directory,Filename) ,the result is as follows
Filename Directory File
abc /tmp/op /tmp/op
abc
dxr /tmp/in /tmp/in
dxr
Method 2:
I used eval File=Directory."".Filename .the result is as follows
Filename Directory File
abc /tmp/op /tmp/op abc
dxr /tmp/in /tmp/in dxr
Can you tell the reason on why mvappend command display the two values one below the other on combining also which method is efficient to use among the two methods mentioned above
Hi Jananee_iNautix,
Method 1 creates a new multivalued field containing /tmp/op
and abc
as value.
Method 2 creates a new singlevalued field containing /tmp/op abc
as value.
Take this run everywhere example and see that in my_count
the values is 2 as there are two values in the field my
where as in field yours
the count is only 1 value
index=_internal | head 1 | eval foo="1" | eval boo="2" | eval my=mvappend(foo, boo) | eval yours=foo." ".boo | eval my_count=mvcount(my) | eval yours_count=mvcount(yours) | table foo boo my my_count yours yours_count
hope this helps ...
cheers, MuS
No, this depends on your use case and what you further do with the new field. You can test it very easy: run both searches and compare the run times in the job inspector.
Can you tell which among the two methods is efficient?