I have a list of events, with the following content
event1: _time=123 Tag="X" Value="12.2"
event2: _time=123 Tag="Y" Value="55.2"
event3: _time=123 Tag="Z" Value="3.2"
event4: _time=234 Tag="X" Value="12.4"
event5: _time=234 Tag="Y" Value="55.0"
event6: _time=234 Tag="Z" Value="2.8"
The values are coordinates (X, Y, Z), that i want to visualize in a 3d scatter plot. Unfortunately i have each coordinate in a single event.
How can i merge those events to create a table afterwards with
(wanted command) | table _time X Y Z
???
| eval {Tag}=Value
| stats values(X) AS X, values(Y) AS Y, values(Z) AS Z by _time`
The {Tag}=Value will create a new field X (or Y or Z) with the relevant value, then the stats will merge them into a single event.
Full example,
| makeresults count=6
| streamstats count AS i
| eval Value=random()%10
| eval _time=if(i>3,_time,_time+10)
| eval Tag=case(i%3==0,"X", i%3=1,"Y", i%3=2,"Z")
| fields - i
| eval {Tag}=Value
| stats values(X) AS X, values(Y) AS Y, values(Z) AS Z by _time