Trying to expand two multi value field using mvexpand for below scenario:
Jhon purchased Mango and Banana both.
Colins purchased Papaya and Brad purchased Apple.
My current output not showing Apple is purchased by Brad.
Part of code for expanding used as below:
| table Name,Fruit | eval sample = mvzip(Name,Fruit) | mvexpand sample | makemv sample delim="," | eval Name=mvindex(sample,0)| eval Fruit=mvindex(sample,1)
Please help to get the desired output as per last picture.
UPDATED:
| makeresults
| eval Name=split("Jhon,Colins,Brad",",")
| eval Fruit=split("Mango,Banana,Papaya,Apple",",")
| eval field_x=split("eat,like,love,taste",",")
| eval field_y=split("one,two",",")
| fields - _time
| rename COMMENT as "this is sample data you provided"
| rename COMMENT as "From here, the logic"
| eval _counter=mvrange(0,mvcount(Fruit))
| eval Name = mvappend(mvindex(Name,0),Name)
| stats list(*) as * by _counter
| foreach *
[ eval <<FIELD>> = case(mvcount(<<FIELD>>) = 2, mvindex(<<FIELD>>,_counter % 2),true(),mvindex(<<FIELD>>,_counter))]
| fields Name field_x field_y Fruit
Hi, @ahmadshakir1952
I don't use mvexpand
.
but How about this?
Here i have given example of two filed. Can you please for 2 more fields which is also multi-valued. i.e: field name: field_x and field_y then what would be the for each condition.
Hi @ahmadshakir1952
My answer updated. please confirm.
@ahmadshakir1952
Your posted images not providing proper information regarding field type and so on. So can you please provide some sample events OR images from Splunk search?
Meanwhile check below thing also..
The value of Fruit
field against name
Jhon is multivalued? Like output of below search?
| makeresults
| eval name="Jhon|Colins|Brad",friuts="Mango#Banana|Papaya|Apple", name=split(name,"|"),friuts=split(friuts,"|") , tmp=mvzip(name,friuts)
| mvexpand tmp
| eval name=mvindex(split(tmp,","),0),friuts=mvindex(split(tmp,","),1),friuts=split(friuts,"#")
| rename COMMENT as "This is sample of your search"
| table name friuts
Then try to append | mvexpand friuts
.
Name and Fruit both are from different sourectype , but they both sharing a common ID field. In here example, Jhon is multi-valued and In name column its not certain which value is going to be multivalue in Fruit column/field.
@ahmadshakir1952
Can you please share sample events from both sourcetype? So I can help you design search.