I need to extract from 2 fields and compile them into multiple fields.
1st field contains all the counter names.
The label doesn't change. Event is all the same for label type.
2nd field contains all the counts.
I can use split and mv to do the extraction.
How can I compile those counter and counts into key value pairs inline?
I need to use the values from counter field as a new field. Values from count field as the new values. The pair will be position based and split by comma?
I reply you by considering that the count values are inside a multivalue field . Use query that follow:
I consider values count in field like Count=0,2,3 for example.
....|eval CountNew=split(count,",") |eval counter1=mvindex(CountNew,0) |eval counter2=mvindex(CountNew,1) |eval counter3= mvindex(countNew,2) | table counter1 counter2 counter3
This is my current workaround.
However I need the field name to be created dynamically as well from another fields' multivalued event.
For example: as for a single event, field name = countertype; field value=(Counter1,counter2,counter3).
I need extract from above event and create 3 new fields.
Fields name = counter 1,2,3
i think that my query assign counts values to each counter, counter1 counter2, counter3 . You can use timechart like follow:
....|eval CountNew=split(count,",") |eval counter1=mvindex(CountNew,0) |eval counter2=mvindex(CountNew,1) |eval counter3= mvindex(countNew,2) |timechart count by counter1 for example
I don't know how are your events but something like this may help. I hope
your base search |rex "lable=(?<conter1>[^,]),(?<conter2>[^,]),(?<conter3>.*+)"|rex "Event=(?<cont1>\d+),(?<cont2>\d+),(?<cont3>\d+)\s"|eventstats count(count1) as counter1 by conter1|eventstat count(count2) as counter2 by conter2|eventstat count(count3) as counter3 by conter3|table counter1 counter2 counter3
OK. Here you go:
your base search |rex "lable=(?<conter1>[^,]),(?<conter2>[^,]),(?<conter3>[^\s]+)"|rex "Event=(?<cont1>\d+),(?<cont2>\d+),(?<cont3>\d+)\s"|eventstats values(count1) as counter1 by conter1|eventstat values(count2) as counter2 by conter2|eventstat values(count3) as counter3 by conter3|table counter1 counter2 counter3
Try with this format of query with mvindex function and rex_macth attribute:
Hi, try this
...| rex "your rex P? <label>..." max_match=0| eval label1=mvindex(label,0) | eval label2=mvindex(label,1) | eval label3=mvindex(label,2) | rex "your rex P?<Count>..." max_match=0|eval Count1=mvindex(Count,0) | eval Count2=mvindex(Count,1)| eval count3=mvindex(Count,2) |table label1 label2 label3 Count1 Count2 Count3
You will get the key value pair of each field.
The purpose is to create a tabulate output with label as column name, then populate each row by using count values.
Labels are extracted from counter fields by delimiter comma,
Values are extracted and assigned to each label cell.
With the output so I can chart based on _time
I don't need to extract count value.
The count field in the log is multivalued separated by comma，count event is the number of occurance for each counter, counter name is from another field.
I want a timecharts to show linechart per counter and counts created inline.