Trying to expand two multi value field using mvexpand for below scenario:
Jhon purchased Mango and Banana both.
Colins purchased Papaya and Brad purchased Apple.
My current output not showing Apple is purchased by Brad.
Part of code for expanding used as below:
| table Name,Fruit | eval sample = mvzip(Name,Fruit) | mvexpand sample | makemv sample delim="," | eval Name=mvindex(sample,0)| eval Fruit=mvindex(sample,1)
Please help to get the desired output as per last picture.
| makeresults | eval Name=split("Jhon,Colins,Brad",",") | eval Fruit=split("Mango,Banana,Papaya,Apple",",") | eval field_x=split("eat,like,love,taste",",") | eval field_y=split("one,two",",") | fields - _time | rename COMMENT as "this is sample data you provided" | rename COMMENT as "From here, the logic" | eval _counter=mvrange(0,mvcount(Fruit)) | eval Name = mvappend(mvindex(Name,0),Name) | stats list(*) as * by _counter | foreach * [ eval <<FIELD>> = case(mvcount(<<FIELD>>) = 2, mvindex(<<FIELD>>,_counter % 2),true(),mvindex(<<FIELD>>,_counter))] | fields Name field_x field_y Fruit
I don't use
but How about this?
Your posted images not providing proper information regarding field type and so on. So can you please provide some sample events OR images from Splunk search?
Meanwhile check below thing also..
The value of
Fruit field against
name Jhon is multivalued? Like output of below search?
| makeresults | eval name="Jhon|Colins|Brad",friuts="Mango#Banana|Papaya|Apple", name=split(name,"|"),friuts=split(friuts,"|") , tmp=mvzip(name,friuts) | mvexpand tmp | eval name=mvindex(split(tmp,","),0),friuts=mvindex(split(tmp,","),1),friuts=split(friuts,"#") | rename COMMENT as "This is sample of your search" | table name friuts
Then try to append
| mvexpand friuts .
Name and Fruit both are from different sourectype , but they both sharing a common ID field. In here example, Jhon is multi-valued and In name column its not certain which value is going to be multivalue in Fruit column/field.