Took some trial and error to figure out why some multivalue fields were being displayed as a single line.
If the string "data:" appears in any values in multivalue field, for examples using stats values(x) AS x, the multivalue field will display as a single line.
Are there any way to escape this behavior?
| makeresults | eval category="fruits" | eval name="apple,orange,strawberry,apricot,blueberry,mango" | eval name=SPLIT(name, ",")
| mvexpand name
| eval desc=name." is delicious!"
| eval desc_data="data: ".name."is delicious!"
| table category name desc desc_data
| stats values(name) AS name values(desc) AS desc values(desc_data) AS desc_data by category
UPDATE: Thanks everyone for testing and help identify that this issue does not affect v8.1.2.
It appears to affect v8.2+
This is an incredible find! I can confirm that, in a plain installation, multi-valued field with any value matching the regex "data\s*:" will be displayed in single line, as if there is a compulsory mvzip(). Before I post additional diagnosis, let me demonstrate an idiotic workaround: add the following to the end
| eval desc_data = mvjoin(desc_data, "
")
Note: the newline must be entered as literal (Ctrl + "Enter" in search window), not as "\n", for example. This should get the display as you intended, even though desc_data becomes single-valued after this.
Now to diagnosis. Like yourself, I made lots of tests. Stripped to the bare bones, the "data: spell", or compulsory mvzip syndrome, can be demonstrated with the following:
| makeresults | eval category="fruits" | eval name="apple;orange;strawberry;apricot;my data : blueberry;mango" | eval name=SPLIT(name, ";")
| table category name
| category | name |
| fruits | apple,orange,strawberry,apricot,my data : blueberry,mango |
Note:
- Only one of the values contains the pattern "data\s*:". The space character can be anything, even a newline.
- The spell-bound pattern can be prefixed by other patterns; in this demonstration, "my ".
- In the above example, field "category" is just an accessary and not a necessary part of the demonstration.
I cannot find anything explicit in etc/system/defaults that can explain this spell even though "data:" appears in several entries in conf.conf. I would consider this a bug as it can really catch many by surprise.
| eval desc_data=split(mvjoin(desc_data, ";"), ";")
| eval mv_count_desc_data=MVCOUNT(desc_data)
Unfortunately, join then split doesn't help me with display. Tested in 8.2.0 and 8.2.2. Gives me the same display as if no change is made
You're right, my bad -- I inadvertently tested this on 8.1.x.
Some other interesting observations:
You can insert newlines at the end of each values and the UI will respect it (Wrap Results needs to be turned on).
| rex field=desc_data mode=sed "s/$/\n/g"
You can't, however, try to interact with the comma. It seems like the comma only exists in the UI. For example replacing comma with newline doesn't work.
| rex field=desc_data mode=sed "s/\,/\n/g"
Trying another character like "!" works:
| rex field=desc_data mode=sed "s/\!/\\0\n/g"
Hi @johnhuang ,
I have just copied the same query given by you, but the results are multivalue only. Unsure why you got in a single row. Can you try again?
