https://community.splunk.com/t5/Splunk-Dev/Search-multi-valued-field-with-specific-values-in-sequence/m-p/570700#M10143 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226708">@vjajula</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">YOUR_SEARCH | mvexpand ColY | autoregress ColY as p_ColY p=1 | autoregress ColX as p_ColX p=1 | eval cnt = if(p_ColY!=ColY and ColX=p_ColX,1,0) | stats list(ColY) as ColY sum(cnt) as cnt by ColX | where cnt &gt; 0</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="ColX ColY A123456 ON,ON,ON A123457 ON,OFF,ON,OFF A123458 ON,ON,OFF,ON,ON,ON,OFF A123459 OFF,OFF,OFF A123460 ON,ON,ON,OFF,OFF,OFF" | multikv forceheader=1 | eval ColY=split(ColY,",") | mvexpand ColY | autoregress ColY as p_ColY p=1 | autoregress ColX as p_ColX p=1 | eval cnt = if(p_ColY!=ColY and ColX=p_ColX,1,0) | stats list(ColY) as ColY sum(cnt) as cnt by ColX | where cnt &gt; 0</LI-CODE><P><BR />&nbsp;Output.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-13 at 10.13.42 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16382i06353D5381809CB6/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2021-10-13 at 10.13.42 AM.png" alt="Screenshot 2021-10-13 at 10.13.42 AM.png" /></span></P><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp; <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. </P> Wed, 13 Oct 2021 04:43:57 GMT kamlesh_vaghela 2021-10-13T04:43:57Z https://community.splunk.com/t5/Splunk-Dev/Search-multi-valued-field-with-specific-values-in-sequence/m-p/570695#M10142 <P>Hi,</P><P>I have another request similar to my previous post but with a variation</P><P>Here is the multi-valued field ColY. ColY has only two values ON or OFF. I need to find all rows which changed values from ON to OFF or vice-versa in any order. Below is the example</P><TABLE width="340"><TBODY><TR><TD width="187">ColX</TD><TD width="153">ColY</TD></TR><TR><TD>A123456</TD><TD width="153">ON<BR />ON<BR />ON</TD></TR><TR><TD>A123457</TD><TD width="153">ON<BR />OFF<BR />ON<BR />OFF</TD></TR><TR><TD>A123458</TD><TD width="153">ON<BR />ON<BR />OFF<BR />ON<BR />ON<BR />ON<BR />OFF</TD></TR><TR><TD>A123459</TD><TD width="153">OFF<BR />OFF<BR />OFF</TD></TR><TR><TD>A123460</TD><TD width="153">ON<BR />ON<BR />ON<BR />OFF<BR />OFF<BR />OFF</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><U><STRONG>Required output</STRONG></U></P><TABLE width="427"><TBODY><TR><TD width="187">ColX</TD><TD width="153">ColY</TD><TD width="87">totalChanges</TD></TR><TR><TD>A123457</TD><TD width="153">ON<BR />OFF<BR />ON<BR />OFF</TD><TD>3</TD></TR><TR><TD>A123458</TD><TD width="153">ON<BR />ON<BR />OFF<BR />ON<BR />ON<BR />ON<BR />OFF</TD><TD>3</TD></TR><TR><TD>A123460</TD><TD width="153">ON<BR />ON<BR />ON<BR />OFF<BR />OFF<BR />OFF</TD><TD>1</TD></TR></TBODY></TABLE> Wed, 13 Oct 2021 01:48:05 GMT https://community.splunk.com/t5/Splunk-Dev/Search-multi-valued-field-with-specific-values-in-sequence/m-p/570695#M10142 vjajula 2021-10-13T01:48:05Z https://community.splunk.com/t5/Splunk-Dev/Search-multi-valued-field-with-specific-values-in-sequence/m-p/570700#M10143 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226708">@vjajula</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">YOUR_SEARCH | mvexpand ColY | autoregress ColY as p_ColY p=1 | autoregress ColX as p_ColX p=1 | eval cnt = if(p_ColY!=ColY and ColX=p_ColX,1,0) | stats list(ColY) as ColY sum(cnt) as cnt by ColX | where cnt &gt; 0</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="ColX ColY A123456 ON,ON,ON A123457 ON,OFF,ON,OFF A123458 ON,ON,OFF,ON,ON,ON,OFF A123459 OFF,OFF,OFF A123460 ON,ON,ON,OFF,OFF,OFF" | multikv forceheader=1 | eval ColY=split(ColY,",") | mvexpand ColY | autoregress ColY as p_ColY p=1 | autoregress ColX as p_ColX p=1 | eval cnt = if(p_ColY!=ColY and ColX=p_ColX,1,0) | stats list(ColY) as ColY sum(cnt) as cnt by ColX | where cnt &gt; 0</LI-CODE><P><BR />&nbsp;Output.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-13 at 10.13.42 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16382i06353D5381809CB6/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2021-10-13 at 10.13.42 AM.png" alt="Screenshot 2021-10-13 at 10.13.42 AM.png" /></span></P><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp; <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. </P> Wed, 13 Oct 2021 04:43:57 GMT https://community.splunk.com/t5/Splunk-Dev/Search-multi-valued-field-with-specific-values-in-sequence/m-p/570700#M10143 kamlesh_vaghela 2021-10-13T04:43:57Z