https://community.splunk.com/t5/Splunk-Search/How-does-dedup-treat-multivalue-fields/m-p/494081#M137758 <P>Which events are removed when multivalue comes into play?</P> Tue, 08 Oct 2019 19:46:01 GMT landen99 2019-10-08T19:46:01Z https://community.splunk.com/t5/Splunk-Search/How-does-dedup-treat-multivalue-fields/m-p/494081#M137758 <P>Which events are removed when multivalue comes into play?</P> Tue, 08 Oct 2019 19:46:01 GMT https://community.splunk.com/t5/Splunk-Search/How-does-dedup-treat-multivalue-fields/m-p/494081#M137758 landen99 2019-10-08T19:46:01Z https://community.splunk.com/t5/Splunk-Search/How-does-dedup-treat-multivalue-fields/m-p/494082#M137759 <P>The answer on which values in a multivalue field are deduped is this: The multivalue field must match all values in order for it to be deduped:</P> <P><CODE>| stats count | eval field=mvappend("a","b") | append [| stats count | eval field=mvappend("1","2")] | append [| stats count | eval field=mvappend("2","1")] | append [| stats count | eval field=mvappend("a1","b2")] | append [| stats count | eval field=mvappend("a1","b2")] | append [| stats count | eval field=mvappend("a1","a2")] | dedup field</CODE></P> <P>Even the order of the values in the multivalue field matters! Who would've thought? </P> Tue, 08 Oct 2019 19:48:17 GMT https://community.splunk.com/t5/Splunk-Search/How-does-dedup-treat-multivalue-fields/m-p/494082#M137759 landen99 2019-10-08T19:48:17Z