Hi,
The output of both systems is written to the same index and differ by the component contained in the event.
e.g:
user=x component=old target=foobar
OR
user=x component=new target=foobar
|stats dc(component) as condition, list(msglog) as msglog, list(component) as component
| where condition>1
I have a data that looks like this:
|target |condition |msglog |component
|footbar | 2 |Registration successful |old
| | |Registration successful |new
| | |invalid login |new
A field is grouped into multiple fields (example "msglog", "Date", "component" . However, I want to extract them all separately in one field and list them in a table by targetID. The result should look like this:
|target |condition |msglog |component
|footbar | 2 |Registration successful |old
|footbar | 2 |Registration successful |new
|footbar | 2 |invalid login |new
BUT, if i use mvexpand:
...| mvexpand msglog
| fillnull msglog value=0
| mvexpand component
| fillnull component value=0
| dedup msglog component
There is an additional field with msglog=invalid login with component=old, which is not correct.
|target |condition |msglog |component
|footbar | 2 |Registration successful |old
|footbar | 2 |Registration successful |new
|footbar | 2 |invalid login |new
|footbar | 2 |invalid login |old
Thanks for your Help and your Time
Just do this:
index=<You should always specify index> AND sourcetype=<And sourcetype too>
| table target condition msglog component
| filldown target
| filldown condition
Just do this:
index=<You should always specify index> AND sourcetype=<And sourcetype too>
| table target condition msglog component
| filldown target
| filldown condition
mvexpand will expand that particular field and copy the others that's why when you expand "msglog" both "Registration successful" and "invalid login" will have then a mv field "component" with both "new" and "old" values for each "msglog" value
does each event has every field? target, condition, msglog, component
because from what I see there is no way (with your search) you could have those results
user=x component=old target=foobar
OR
user=x component=new target=foobar
|stats dc(component) as condition, list(msglog) as msglog, list(component) as component
target won't be an available field in the results here. Only condition, msglog, component.
Can you post some raw data?
Hello @diogofgm
Here are the raw data:
{"timestamp":"2019-07-12T20:48:08.371+02:00",
"user":"x",
"component":"new",
"target":"footbar",
"msglog":"invalid login"
}
..........
{"timestamp":"2019-07-12T20:48:08.25+02:00",
"user":"x",
"component":"old",
"target":"footbar",
"msglog":"Registration successful"
}
...........
{"timestamp":"2019-07-12T20:48:08.184+02:00",
"user":"x",
"component":"new",
"target":"footbar",
"msglog":"Registration successful"
}
As I said, 1 field has several values in one row (
i.e. the value has "msglog"
"Registration successful"
"Registration successful"
"invalid login"). I would like to have these values in a table in a separate line extracted so that the results are correct. Otherwise, I can not limit my results, for example, only to "Registration successful"
is this 1 event or 3?
if its 1 event you should be breaking your event
if its 3 events use |eventstats dc(component) AS condition | table target condition msglog component