Hi I am looking at data which includes a field with multiple lines of values. For instance:
$name$, $products$, $country$
============================
an example of an event:
name:
Peter Thompson
products:
windows 10
office 2017
adobe reader 9
country:
Germany
============================
What I am trying to achieve is a table like:
name products country
Peter Thompson Windows 10 Germany
Peter Thompson Office 2017 Germany
Peter Thompson Adobe Reader 9 Germany
============================
To do this I am using mvexpand on the products field which gives me the separated products and sorts them by rarity. I cannot however seem to create a table after that which pulls back the other values such as the name and country. It appears that after the mvexpand or the rare functions, all other fields are lost.
============================
My query:
index=data sourcetype=stuff | mvexpand products | rare limit=10 products | eventstats count AS total by products, name | table count, name
↧