Hi All,
How i can merge two row value in one field. i am trying with case but i am not getting the output.
| makeresults | eval _raw="product_name,dev,dev1,test,prod INFO,yes,yes,no,yes Apple,yes,,yes,yes Apple1,,yes,," | multikv forceheader=1 | table product_name,dev,dev1,test,prod | eval matchseg=replace(product_name,"\d+","") | stats values(*) as * by matchseg | rename matchseg as product_name | table product_name,dev,dev1,test,prod
apple = apple1? What are the conditions for joining?
Hi @to4kawa all the dev1 info for Apple1 will display in Apple . i cant show two apple so i am display in one field ie- Apple.
Hi @to4kawa
This value is not fixed time to time this value is chaining in that condition this ll not work.
yes to No and No to yes it changing so i need dynamic solution
What are the conditions for joining? This value is not fixed time to time I see. Which should be remain? faster? later? Name has digit? non-digit? I don't know.
This value is not fixed time to time
in addition to @to4kawa solution, check this
| makeresults | eval _raw="product_name,dev,dev1,test,prod INFO,yes,yes,no,yes Apple,yes,,yes,yes Apple1,,yes,," | multikv forceheader=1 | table product_name,dev,dev1,test,prod | eval matchseg=replace(product_name,"\d+","") | streamstats count | stats values(*) as * by matchseg | mvexpand count | stats max(count) as count by matchseg,dev,dev1,test,prod | rename matchseg as product_name | sort count | table product_name,dev,dev1,test,prod
