![]() ![]() I was able to obtain a messed up table as in your example with this query: index="test" earliest=-10dĪnd was able to restore the multivalues by appending this at the end. ![]() | makemv delim="" factoryconfig | makemv delim="" configĪt the end of the search string? You might have to cook a delimiter into the original fields to be able to split them at the end of the search string. It seems like you lost the "multivalue" property for those fields. Does anyone know why?Īpp1 Result1 Result2 example text Result3 Connection1 - url - type Connection2 - url - type Connection3 - url - typeĪpp2 Result4 A text Result5 b Result6 c Connection4 - url - type Connection5 - url - type Connection6 - url - type ![]() Result2 exampletext Connection2 - url - typeĪpp2 Result4 A text Connection4 - url - typeīut, when I do a join, it messes up the formatting and i get this, ie it gets rid of my nice formatting. Index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance What i want to do, is join the two searches Index="ems" sourcetype="factoryconfig" | search NOT "" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance Index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "*sample*" | transaction instance | fields instance, application, config | fields - _timeĪnd a second, which produces similar for a different sourcetype Ive tried using transaction, stats and join but have not been able to. I have two searches that use transactions to get part of a table of results that I want. I am trying to join fields from two separate log entries in the same index. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |