You could do something like this: | makeresults format=json data="[{
\"iphone\": {
\"price\" : \"50\",
\"review\" : \"Good\"
},
\"desktop\": {
\"price\" : \"80\"...
See more...
You could do something like this: | makeresults format=json data="[{
\"iphone\": {
\"price\" : \"50\",
\"review\" : \"Good\"
},
\"desktop\": {
\"price\" : \"80\",
\"review\" : \"OK\"
},
\"laptop\": {
\"price\" : \"90\",
\"review\" : \"OK\"
}
},{
\"tv\": {
\"price\" : \"50\",
\"review\" : \"Good\"
},
\"desktop\": {
\"price\" : \"60\",
\"review\" : \"OK\"
}
}]"
| fields _raw _time
| eval p_name=json_array_to_mv(json_keys(_raw))
| streamstats count as row
| eval flag = pow(2, row - 1)
| mvexpand p_name
| eval {p_name}=flag
| fields - flag row p_name
| stats sum(*) as * Fields with 1 are only in the first event, fields with 2 are only in the second event (missing from the first event), and fields with 3 are in both events. This also works for more events as the sums are essentially binary flags for which events the fields come from, e.g. for 3 events, 7 would be all event, 5 would be first and third. etc.