How to change event field values into field name?
Event log sample1:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
id, code, message
1, 1111, "one"
3, 12345, "three"
Event log sample2:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
id, keyname, keyvalue
1, name , john
1, place, richmond
1, activity, login
1, environment, mobile
2, name , bob
2, lastname, bill
3, name, charle
3, location, newyork
3, activity, transaction
4 name, Danny
4 lastname, Huber
5, name, eugene
Both event have common field called "id". I will join both data searches using join command.
e.g: index=abc code=111 | join id [search index=blah ]
But my requirement is, for the above search when the code is 111, i need get the table in following format
id, code, message, name, place, activity, environment
1 , 1111, "one", john, richmond, login, mobile
Please note that, the values of keyname and keyvalue are become field-name and its values respectively. Please let me know how to do this?
... View more