Hello,
I need some assistance on the following scenario.
Let's say I have a fields "Country" "cities" "command"
These are few events:
These are few cities of India.
Country=India, cities="Hyderabad, Bangalore, Kerala" command="common"
Country=Srilanka cities="Kandy, Colombo, Galle"
Country=Australia cities="Melbourne, sydney, Adelaide" command="common"
Country=USA cities="California, Cupertino, NewJersey"
Country=UK cities="Manchester, Headingley, Edgbaston" command="common"
Country=china cities="Beijing, Shanghai, Tianhe, common"
I have a sample query which gives me the result of source
index=sai_core sourcetype="city_log" command="common"
| makemv delim="," cities
| stats values(cities) as cities by source
I want to make use of these results of source to use as a group by for another search.
index=sai_core sourcetype="city_log"
| makemv delim="," cities
| stats values(cities) as cities by source
How do I do this?
Not sure if i could understand what your exact requirement is . Can you explain what you need exactly, the first search is pretty straight forward and you have already built it, show me the desired out after the second search . I tried to mimick using the dummy data, you could use the output to another search by using join
or append
| makeresults
| eval DATA="Country;India cities;Hyderabad,Bangalore,Kerala command;common:Country;Srilanka cities;Kandy,Colombo,Galle:Country;Australia cities;Melbourne,sydney,Adelaide command;common:Country;USA cities;California,Cupertino,NewJersey:Country;UK cities;Manchester,Headingley,Edgbaston command;common:Country;china cities;Beijing,Shanghai,Tianhe"
| makemv DATA delim=":"
| mvexpand DATA
| makemv DATA delim=" "
| eval Country=mvindex(DATA,0)
| eval Cities=mvindex(DATA,1)
| eval Command=mvindex(DATA,2)
| fields Cities Command Country _time
| rex field=Cities "cities\;(?P<Cities>.*)"
| makemv Cities delim=","
| mvexpand Cities
| rex field=Command "command\;(?P<Command>.*)"
| rex field=Country "Country\;(?P<Country>.*)" | stats values(Cities) as Cities by Country | mvexpand Cities
@bollam seems like a use case for Post Processing. However, you would need to create the same depending on what is your another search
. So please refer the documentation with examples. Also ensure that you understand Post Processing Best practices.