I have a subseqrch to a join that returns a multivalued field. However, when that's put into a table in the parent search, it becomes a single value field... Just wondered why and how to deal with it
index=web (host=X cs_uri_stem=/login status=500) OR (host=Y cs_uri_stem=/subrequest) | stats list(cs_uri_stem) as Path list(status) as Status count by Correlation_Id | where count=2 | join Correlation_Id [ search index=application (Level=Error OR Level=Warning) | stats values(Message) as Message by Correlation_Id | eval d=mvcount(Message) ] | eval c=mvcount(Message) | table Correlation_Id, Path, Status, Message, c, d
In the subsearch d is set to the count of the mv field items and is generally 2 or 3, but in the outer search c becomes 1 and the resultant text field is shown as a single piece of text with all messages concatenated.
How can I keep the mv field status from the subsearch. The outer search has no field called Message.
You are using a field that does not exist. Please review the search sentence.
| stats list(csuristem) as Path list(status) as Status count by CorrelationId
⇒CorrelationId,Path ,Status ,count
| join CorrelationId [ search index=application (Level=Error OR Level=Warning)
| stats values(Message) as Message by CorrelationId
| eval d=mvcount(Template) ]
⇒Correlation_Id ,Message ※Template does not exist
| eval c=mvcount(Template)
⇒Correlation_Id,Path ,Status ,count ,Message ※Template does not exist
| table CorrelationId, Path, TimeTaken, Status, Template, c, d
⇒CorrelationId, Path, TimeTaken(※NULL), Status, Template(※NULL), c(※NULL), d(※NULL)