Thanks @sk314. To be fair, this question was left unanswered for four years and 35 hours. Some improvements have been made to the docs since this answer, but this example is still better, IMO. ... View more

Updated with sundareshr's spath command instead of rex. ... View more

That's a better way to create the fields than what I did, but you still need to use mvzip() and mvexpand to get the correct value. ... View more

Glad it worked! Working with multivalue fields is often unintuitive. Sweet dreams. ... View more

This solved the blank values issues in the first column... search ... | filldown 'Name-field' You can then dedup and sort the table... | dedup 'Name-field' 'Server-field' 'Server-attribute' | sort 0 'Name-field' 'Server-field' If you really need to null out the Name-field... | streamstats current=f window=1 global=f last('Name-field') as previous | eval 'Name-field'=if('Name-field'==previous, "", 'Name-field') | fields - previous You may need to reverse the table afterward ... | reverse ... View more

Are you also saying that the Name-field is blank in the some rows ( the second for example)? Do you need to use the "filldown" command, before running dedup on all three fields? ... View more

To make this work via "add eval", you'd need to create a new field with a different name in the data model and hide the old field. The display name can be whatever you'd like. Another option is to do that eval in a root search -> Add object -> Root search. ... View more

This works... your search | fields column1 column2 column3 | table * | fields - _* However, do you really need to pipe to table? If you just show events and format it as a table, then the extra column would disappear. In the search, you can select "Table" on the events tab. Unfortunately, if you save this as a dashboard panel the settings are getting lost. In SimpleXML, here are the settings you need: <panel> <event> <search> <query>your search</query> </search> <option name="count">10</option> <option name="rowNumbers">0</option> <option name="type">table</option> <fields>column1, column2, column3</fields> </event> </panel> Note, this method would also include _time. ... View more

Use mvzip, makemv and then reset the fields based on index. First, mvzip the multi-values into a new field: | eval reading=mvzip(vivol, usage) // create multi-value field for reading | eval reading=mvzip(reading, limit) // add the third field At this point you'll have a multi-value field called reading. Here's an example of a field value (a list of four items): "VOL_ABC,100,300", "VOL_XYZ,320,800", "VOL_123, 50,150", "VOL_FOO, 80,120" Expand the field and restore the values: | mvexpand reading // separate multi-value into into separate events | makemv reading delim="," // convert the reading into a multi-value | eval vivol=mvindex(reading, 0) // set vivol to the first value of reading | eval usage=mvindex(reading, 1) // set usage to the second value of reading | eval limit=mvindex(reading, -1) // set limit to the last value of reading ... View more

Most eval functions balk with multi-value fields. I'm skipping over strptime in these examples, but know that you need a single value field for strptime. If you just need to work with the first or last values, you can put them into new fields before working with them. | eval start_date_first=mvindex(start_date, 0) | eval start_date_last=mvindex(start_date, -1) | eval end_date_first=mvindex(end_date, 0) | eval end_date_last=mvindex(end_date, -1) Another option is to create a separate row for each users start and end date: | eval periods=mvzip(start_date, end_date) // create multi-value field for with pairs of comma separated dates | mvexpand periods // separate each pair into separate events | makemv periods delim="," // separate the pair into a multi-value | eval start_date=mvindex(periods, 0) // set the first value to start_date | eval end_date=mvindex(periods, -1) // set the last value to end_date I've broken this down a little granularly than necessary. Many of these could be combined, but remember you often need to cast mvindex() output into a type with tostring() or tonumber(). For intance: | eval foo= mvindex(bar, 0) * 2 // always throws error | eval foo= tonumber(mvindex(bar, 0)) * 2 // works ... View more