My data is in JSON format, and contains arrays of JSON data that can be from 1 to N blocks. In this JSON, fields can have the same value across the blocks.
If I have 3 multivalue fields across those blocks, how do I combine them? With mvzip, I can combine two. This lets me parse out the specific value for another value.
FieldA FieldB FieldC
Quick Brown Fox
Jumped Brown Fox
Over Brown The
So if I wanted to find all values of FieldA that corresponded to Brown Fox
, then I want to be able to zip up FIeldA+FieldB+FieldC, then look for the specific combination of Brown and Fox. For 2 fields, I have done this with mvzip. How do I do this with three fields?
Hi
Try this
| makeresults
| eval FieldA="Quick,Jumped,Over", FieldB="Brown,Brown,Brown", FieldC="Fox,Fox,The"
| makemv delim="," FieldA
| makemv delim="," FieldB
| makemv delim="," FieldC
| stats list(FieldA) as FieldA,list(FieldB) as FieldB,list(FieldC) as FieldC
| eval temp=mvzip(FieldA,mvzip(FieldB,FieldC))
I know this is an old topic, but i recently had the same issue. So maybe it will help someone else.
the mvzip takes 2 required and one optional parameter. You can only combine two fields at a time, followed by any character as a delimiter. in the example below, I use a pipe character |
But i have discovered, you can nest the mvzip and then extract them out
so for your example using FieldA, FieldB, and FieldC
A simple mvzip would be:
| eval combined_data=mvzip(FieldA,FieldB,"|")
and that's it, but wait there's more, proceed with nesting
| eval combined_data=mvzip(mvzip(FieldA,FieldB,"|"),FieldC,"|")
next expand the mv field
| mvexpand combined_data
Finally, extract the fields in the same order you combined them:
| rex field=combined_data "^(?<FieldA>[^|]*)\|(?<FieldB>[^|]*)\|(?<FieldC>[^|]*)"
Hi
Try this
| makeresults
| eval FieldA="Quick,Jumped,Over", FieldB="Brown,Brown,Brown", FieldC="Fox,Fox,The"
| makemv delim="," FieldA
| makemv delim="," FieldB
| makemv delim="," FieldC
| stats list(FieldA) as FieldA,list(FieldB) as FieldB,list(FieldC) as FieldC
| eval temp=mvzip(FieldA,mvzip(FieldB,FieldC))
Thanks for the help. I didn't realize I could use mvzip inside of an mvzip. Once I did that, it worked fine to find the specific cases we needed. Thanks!