Let's say I have the following kind of event:
{"title":"title1","movieStatistics":[{"country":"US","cast":[{"name":"Actor1","age":30,"languages":["English","Spanish"]},{"name":"Actor2","age":48,"languages":["English","Polish","Spanish"]}]}]}
With the following search: index="index-blabla" | table "movieStatistics{}.cast{}.languages{}" "movieStatistics{}.cast{}.age"
I obtain this table:
| movieStatistics{}.cast{}.languages{} | movieStatistics{}.cast{}.age |
|---|---|
| English Spanish English Polish Spanish |
30 48 |
Which is not easy to exploit as I cannot really associate the "age" and the "languages" (I know it doesn't make sense, but it is just for the sake of the example).
Could you help me find the appropriate search in order to have a table like the following:
| movieStatistics{}.cast{}.languages{} | movieStatistics{}.cast{}.age |
|---|---|
| English Spanish |
30 |
| English Polish Spanish |
48 |
I tried the mvexpand, but it looks like it doesn't fit my need.
