Splunk Search

multi value fields in subsearch to join become single value in parent

Motivator

I have a subseqrch to a join that returns a multivalued field. However, when that's put into a table in the parent search, it becomes a single value field... Just wondered why and how to deal with it

index=web (host=X cs_uri_stem=/login status=500) OR (host=Y cs_uri_stem=/subrequest)
| stats list(cs_uri_stem) as Path list(status) as Status count by Correlation_Id
| where count=2
| join Correlation_Id [ search index=application (Level=Error OR Level=Warning) 
| stats values(Message) as Message by Correlation_Id | eval d=mvcount(Message) ]
| eval c=mvcount(Message)
| table Correlation_Id, Path, Status, Message, c, d

In the subsearch d is set to the count of the mv field items and is generally 2 or 3, but in the outer search c becomes 1 and the resultant text field is shown as a single piece of text with all messages concatenated.

How can I keep the mv field status from the subsearch. The outer search has no field called Message.

0 Karma

Champion

You are using a field that does not exist. Please review the search sentence.

| stats list(csuristem) as Path list(status) as Status count by CorrelationId
⇒Correlation
Id,Path ,Status ,count

| join CorrelationId [ search index=application (Level=Error OR Level=Warning)
| stats values(Message) as Message by Correlation
Id
⇒Correlation_Id ,Message

| eval d=mvcount(Template) ]
⇒Correlation_Id ,Message  ※Template does not exist

| eval c=mvcount(Template)
⇒Correlation_Id,Path ,Status ,count ,Message ※Template does not exist

| table CorrelationId, Path, TimeTaken, Status, Template, c, d
⇒Correlation
Id, Path, TimeTaken(※NULL), Status, Template(※NULL), c(※NULL), d(※NULL)

0 Karma

Motivator

Duh - sorry - there was me trying to simplify the query from the original - only did half a job - basically Message was Template - hope that clarifies. Thanks for the pick

0 Karma