https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505856#M141485 <P>When&nbsp;multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite&nbsp;the events have common multivalue field.</P><P>Example Query:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults count=4 | streamstats count | eval abc="123" | eval def=if(count!=2, "456", null()) | eval ghi=if(count!=1, "789", null()) | eval abc=mvdedup(mvappend(abc, def, ghi)) | transaction abc keeporphans=1 keepevicted=1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I'd expect all 4 events to be combined to 1 as all events have common value of "123".</P><P>However this is not the case.</P><P>Is there any way to make this happen?</P> Wed, 24 Jun 2020 01:31:01 GMT Puliyo 2020-06-24T01:31:01Z https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505856#M141485 <P>When&nbsp;multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite&nbsp;the events have common multivalue field.</P><P>Example Query:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults count=4 | streamstats count | eval abc="123" | eval def=if(count!=2, "456", null()) | eval ghi=if(count!=1, "789", null()) | eval abc=mvdedup(mvappend(abc, def, ghi)) | transaction abc keeporphans=1 keepevicted=1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I'd expect all 4 events to be combined to 1 as all events have common value of "123".</P><P>However this is not the case.</P><P>Is there any way to make this happen?</P> Wed, 24 Jun 2020 01:31:01 GMT https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505856#M141485 Puliyo 2020-06-24T01:31:01Z https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505858#M141487 <P>Guess I've figured it out myself.</P><P>Solution is to specify all the fields in field-list.</P><LI-CODE lang="markup">| transaction abc,def,ghi keeporphans=1 keepevicted=1</LI-CODE> Wed, 24 Jun 2020 01:42:45 GMT https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505858#M141487 Puliyo 2020-06-24T01:42:45Z https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505859#M141488 <P>Changing the mvappend to make them a sorted single value will give you a transaction on events where abc has the same set of MV values</P><LI-CODE lang="markup">| eval abc=mvjoin(mvsort(mvdedup(mvappend(abc, def, ghi))),",")</LI-CODE><P>&nbsp;but not where any of the individual values has a common value. Not sure if that would be possible. I suspect you would have to run mvexpand on the value of abc to create separate events for that distinct value before running the transaction.</P><P>&nbsp;</P> Wed, 24 Jun 2020 01:50:14 GMT https://community.splunk.com/t5/Splunk-Search/Using-multivalue-field-as-field-list-for-transaction/m-p/505859#M141488 bowesmana 2020-06-24T01:50:14Z