Solved: How to extract Multivalue fields?

shrek · ‎06-04-2022

Lets just say I have multiple events like this:

names

John

Sam

Todd

favorite_colors

Blue

Yellow

Green

Each event might have a different number of field values but the ratio of names to favorite_colors is 1:1.

Is it possible to extract these into new events or display them separately in a table like this:

I have tried mvexpand but that only works for 1 multivalue field.

ITWhisperer · ‎06-04-2022

As you say, mvexpand works on one event, so there are a couple of ways to do it, here is one

| eval row=mvrange(0,mvcount(name))
| mvexpand row
| eval name=mvindex(name,row)
| eval favourite_colour=mvindex(favourite_colour,row)
| fields - row

ITWhisperer · ‎06-04-2022

As you say, mvexpand works on one event, so there are a couple of ways to do it, here is one

| eval row=mvrange(0,mvcount(name))
| mvexpand row
| eval name=mvindex(name,row)
| eval favourite_colour=mvindex(favourite_colour,row)
| fields - row

shrek · ‎06-04-2022

This was exactly what I was looking for, thanks.

How to extract Multivalue fields?