The raw data is like :
FieldA | FieldB | FieldC | FieldD 14-51-P-1216;14-52-P-0258;14-52-P-0053;14-52-P-0054 | 99DF-E8FF-DA0F-5F6D;1B33-9DAE-7B47-A7B4;FCFF-8F4A-106F-5894;5864-CDA1-7400-AD33 | 2015-07-14 | 2015-11-13 14-50-L-0892;14-50-L-0891 | E934-DD3D-86C9-1D5B;F64B-3125-1D75-1D53 | 2015-08-14 | 2015-09-01
FieldA & FieldB are both multivalue fields, and how many values of one field is indefinite.
But, there is a one - to - one relationship between the two fields.
I want to split the two events into 6 events as listed below:
FieldA | FieldB | FieldC | FieldD 14-51-P-1216 | 99DF-E8FF-DA0F-5F6D | 2015-07-14 | 2015-11-13 14-52-P-0258 | 1B33-9DAE-7B47-A7B4 | 2015-07-14 | 2015-11-13 14-52-P-0053 | FCFF-8F4A-106F-5894 | 2015-07-14 | 2015-11-13 14-52-P-0054 | 5864-CDA1-7400-AD33 | 2015-07-14 | 2015-11-13 14-50-L-0892 | E934-DD3D-86C9-1D5B | 2015-08-14 | 2015-09-01 14-50-L-0891 | F64B-3125-1D75-1D53 | 2015-08-14 | 2015-09-01
I think you might be interested in a search using a bunch of multivalue eval functions like this:
<base search to retrieve data> | eval FieldA=split(FieldA,";") | eval FieldB=split(FieldB,";") | eval FieldAB=mvzip(FieldA,FieldB,":") | mvexpand FieldAB | eval FieldAB=split(FieldAB,":") | eval FieldA=mvindex(FieldAB,0) | eval FieldB=mvindex(FieldAB,1) | fields - FieldAB
Here, I'm assuming FieldA and FieldB start out as single string fields with semicolon delimiters, so first we turn them into multivalued fields by splitting on their semicolons. Next we create a new multivalued field, FieldAB, by zipping each corresponding pair of values from FieldA and FieldB (with a colon delimiter, change this as appropriate for your data). With this new field, applying mvexpand works as we expect it to. We then turn each FieldAB value into a multivalued field again (splitting on our previously decided delimiter, and pulling FieldA and FieldB back out.
Finally we use fields to get rid of our temporary field. (but many other commands could work in place here)
The SPL search command is so powerful that can handle so complex problems. Thanks very much~
@caili - There are lots of folks who can help you around. Just start a new question for your new issue.
Thanks very much. I'm so sorry that I had posted my comment in the wrong place.