Multi-Value Constructs

Multi-value construct is used to perform operations on multi-value field. NetForest supports the following multi-value constructs:

  • Nomv
  • Makemv
  • Mvexpand
  • Mvcombine

Below is the description of each construct in detail along with the syntax and examples.

Nomv Construct

This construct is used to convert multivalue field into single value field.

Syntax: …|nomv <field_name>

Here <field_name> is a field, which is required to convert into single value.

When multivalued fields are converted into single value field using nomv.

Example: server:”1.2.3.11” |nomv users

Output: This generates the result by converting the array into a single string value field.

i.e. “users”: [“a”, “b”, “c”,”d”,”e”] to “users”:“a,b,c,d,e”

 

Makemv Construct

This construct is used to convert single value field into multivalue field. When ‘makemv’ operation is performed on any single-valued field separated by any delimeter, it converts the values into an array format.

Syntax: …|makemv [delim=<string> / tokenizer=<string>] <field_name>

Here,

delim=<string> is a delimiting string, which is used to split the value of a field. Its value is provided within double quotes. This is an optional argument and its default value is comma.

tokenizer=<string> is a regex, which is used to capture groups with the field value. The value of field is splitted on occurrence of this regex. This is an optional argument.

Note: Either delim or tokenizer can be used in query, both can’t be used simultaneously.

Example – 1: server:”1.2.3.18” |makemv users

When single-valued fields are converted into multi-valued filed using makemv.

Output: This generates the result by converting a single string into array value field.

i.e. “users”:” a,c,d” to “users”: [“a”,”c”,”d”].

Example – 2:

Using makemv with delim.

Example: *|makemv delim=”,” users  

Output: This generates the result by converting a delimeter separated single string into array value field. i.e. “users”:” a, c, d” to “users”:[”a”,”c”,”d”].

Example – 3:

Using makemv with tokenizer.

Example: “users”:”a,c,d” to “users”:[”a”]  

Query: *|makemv tokenizer=”([a]+)” users

Output: This generates the result by matching the tokenizer value(regex) from given field and convert that single string into array value field.

i.e  “users”:”a,c,d” to “users”:[”a”]

 

Mvexpand Construct

This construct is used to expand values of a multi-value field into separate events, such that the result contains one event for each value in the multi-value field.

Syntax: …|mvexpand <field_name>

Example – 1:

When multivalue field is converted into separate events using mvexpand.

Example:

{“server”: “1.2.3.9”,”httpmethod”: “GET”,”sizeinbytes”: 150,

“resptime”:1,”httpstatuscode”:202,“users”:[“a”,”b”,”c”,”d”]}

To

{“server”: “1.2.3.9”,”httpmethod”:”GET”,”sizeinbytes”:150,

“resptime”:1,”httpstatuscode”:202,“users”:“a”}

 

{“server”: “1.2.3.9”,”httpmethod”:”GET”,”sizeinbytes”:150,

“resptime”:1,”httpstatuscode”:202,“users”:“b”}

 

{“server”: “1.2.3.9”,”httpmethod”:”GET”,”sizeinbytes”:150,

“resptime”:1,”httpstatuscode”:202,“users”:“c”}

 

{“server”: “1.2.3.9”,”httpmethod”:”GET”,”sizeinbytes”:150,

“resptime”:1,”httpstatuscode”:202,“users”:“d”}

Query: server: 1.2.3.9|mvexpand users

 

Output: This generates the result by expanding all the array index of field users into individual documents (i.e. every array value split into individual documents).

Mvcombine Construct

This construct is used to group multiple events, which are identical except for the specified field, which contain a single value. The resultant of this operation is a single event in which specified field becomes a multi-value field.

Syntax: …|mvcombine <field_name>

Example

When multiple events are grouped (which are identical except for the specified field), which contains a single value using mvcombine.

{“server”:”1.2.3.21″,”httpmethod”:”PUT”,”sizeinbytes”:150,”resptime”:5,”httpstatuscode”:202}

{“server”:”1.2.3.21″,”httpmethod”:”POST”,”sizeinbytes”:150,”resptime”:5,”httpstatuscode”:202}

{“server”:”1.2.3.21″,”httpmethod”:”PUT”,”sizeinbytes”:150,”resptime”:5,”httpstatuscode”:202}

{“server”:”1.2.3.21″,”httpmethod”:”GET”,”sizeinbytes”:150,”resptime”:5,”httpstatuscode”:202}

            To

{“server”:”1.2.3.22″,”httpmethod”:[“PUT”,”POST”,”GET”],”sizeinbytes”:150,”resptime”:      5,”httpstatuscode”:202}

Query: *|mvcombine httpmethod

Output: This generates the result by combining all the different values of field users into a single document (i.e. every different value of documents combines into one document).

 

Merge Query

This feature merges other fields based on one or more field name.

Syntax *|merge <[VALUE|value]=[String|number]> <fieldNames>

<fieldNames>: Multiple field name will be separated by comma (,)

Example:

  • *| merge value=”NA” field_name
  • *|merge value=0 field_name

 

Use Case

This construct is used when there is high level of redundancy in data. For example, when majority of fields’ values are something like “NA” or null.

 

Therefore, to remove redundant values (e.g. NA, null), ‘merge’ can be applied to one or more field and remaining fields get merged row wise on the basis of given <[VALUE|value]>. After merge, given fields contain only unique values and for the remaining fields rows are merged.

 

Limitation

If the value given in ‘value=””’ does not exist in any of the rows, then rows are overwritten consecutively. Therefore, this construct is meaningful only when data has sufficient null or undefined values.

Example: * | merge value=”0” kpi

Output: This generates the result remove duplicate from the field ‘kpi’ and replace the corresponding value of the fields with the overwritten value(in our case i.e ‘0’).

Fetch Query

This query is used to fetch data directly from other products’ databases and create visualizations using that data.

Syntax: fetch [<MetricHost>] [Fields] WHERE <logical-expression>

Previous
Next