Splunk Search

Expand two multi value field with different format using mvexpand

Trying to expand two multi value field using mvexpand for below scenario:

Jhon purchased Mango and Banana both.
Colins purchased Papaya and Brad purchased Apple.

alt text

My current output not showing Apple is purchased by Brad.
alt text

Part of code for expanding used as below:

| table Name,Fruit | eval sample = mvzip(Name,Fruit) | mvexpand sample | makemv sample delim="," | eval Name=mvindex(sample,0)| eval Fruit=mvindex(sample,1) 

Please help to get the desired output as per last picture.

0 Karma

Ultra Champion

UPDATED:

| makeresults 
| eval Name=split("Jhon,Colins,Brad",",") 
| eval Fruit=split("Mango,Banana,Papaya,Apple",",") 
| eval field_x=split("eat,like,love,taste",",") 
| eval field_y=split("one,two",",") 
| fields - _time 
| rename COMMENT as "this is sample data you provided" 
| rename COMMENT as "From here, the logic" 
| eval _counter=mvrange(0,mvcount(Fruit)) 
| eval Name = mvappend(mvindex(Name,0),Name) 
| stats list(*) as * by _counter
| foreach * 
    [ eval <<FIELD>> = case(mvcount(<<FIELD>>) = 2, mvindex(<<FIELD>>,_counter % 2),true(),mvindex(<<FIELD>>,_counter))] 
| fields Name field_x field_y Fruit

Hi, @ahmadshakir1952
I don't use mvexpand.
but How about this?

Here i have given example of two filed. Can you please for 2 more fields which is also multi-valued. i.e: field name: field_x and field_y then what would be the for each condition.

0 Karma

Ultra Champion

Hi @ahmadshakir1952
My answer updated. please confirm.

0 Karma

SplunkTrust
SplunkTrust

@ahmadshakir1952

Your posted images not providing proper information regarding field type and so on. So can you please provide some sample events OR images from Splunk search?

Meanwhile check below thing also..

The value of Fruit field against name Jhon is multivalued? Like output of below search?

| makeresults 
| eval name="Jhon|Colins|Brad",friuts="Mango#Banana|Papaya|Apple", name=split(name,"|"),friuts=split(friuts,"|") , tmp=mvzip(name,friuts) 
| mvexpand tmp 
| eval name=mvindex(split(tmp,","),0),friuts=mvindex(split(tmp,","),1),friuts=split(friuts,"#")
| rename COMMENT as "This is sample of your search" 
| table name friuts

Then try to append | mvexpand friuts .

0 Karma

Name and Fruit both are from different sourectype , but they both sharing a common ID field. In here example, Jhon is multi-valued and In name column its not certain which value is going to be multivalue in Fruit column/field.

0 Karma

SplunkTrust
SplunkTrust

@ahmadshakir1952
Can you please share sample events from both sourcetype? So I can help you design search.

0 Karma