I ll show example it's much easier than explain:
index=*
|eval Flight=mvzip(date,route,"/")
|eval Passenger=mvzip(Last,Name,Seat," / ")
|table _time,Field1,Field2
In one event we can find one or two Flight segment but count of passengers can be 1-6.
In this example i show how my search react to event with Two flight segment and Two passengers wich checked in to both flight
so in result i got
_time Flight Passenger
2017-09-01 09-02/JFK-LHR MR KEY / 15F
09-02/LHR-CDG MRS KEY /15E
MR KEY / 10A
MRS KEY / 10 B
If i `mvexpand` passenger field it will lead to duplicates of Flight, if I `mvexpand` flight it will show 4 passenegers for each flight.
My goal to connect first half of passengers with first flight, second part with second flight, than expand to create single record for each registereted passenger (I wan to create dashboard with searching by flight/LastName/Seat etc.)
so perfect result is:
_time Flight Passenger
2017-09-01 09-02/JFK-LHR MR KEY / 15F
2017-09-01 09-02/JFK-LHR MRS KEY / 15F
2017-09-01 09-02/LHR-CDG MR KEY / 10A
2017-09-01 09-02/LHR-CDG MRS KEY / 10B
That is main trouble, pls help with it.
The second minor question that is:
I got maximum two records of mvfield "Departure" airport in my event but "Destination" airport for each passenger
So for this example it seems like:
Departure=JFK Departure=LHR Destination=LHR Destination=LHR Destination=CDG Destination=CDG
When I trying to route=mvzip(Departure,Destination) it seems like:
route=JFK-LHR route=LHR-LHR
The first is correct but second value isn't correct, is it possible to ignore duplicates of Destination values, because i need only first value of Destination and first value of second half of values if there is two flight segment in one event?
Then i will use mvzip to get correct combinations of Departure-Destination.
↧