https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558319#M158585 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93915">@VatsalJagani</a>&nbsp;</P><P>I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.</P><P>Try this.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"] | join type=left group_by_field max=0 [| makeresults | eval group_by_field="A", inventory_field="upperA~~characterA" | eval inventory_field = split(inventory_field,"~~")] </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>So for some how to work the filter we have to again make it multivalued.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"] | join type=left group_by_field max=0 [| makeresults | eval group_by_field="A", inventory_field="upperA~~characterA" ] | eval inventory_field = split(inventory_field,"~~") | search inventory_field="upperA"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>So if it is expected behaviour of sub search with multivalue fields should be documented. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P><P>Still I'm searching more on the same.&nbsp;</P><P>Thanks</P><P>KV</P><P>&nbsp;</P> Mon, 05 Jul 2021 14:46:33 GMT kamlesh_vaghela 2021-07-05T14:46:33Z https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558313#M158584 <P>Do we know the reason why Splunk search has below behaviour:</P><P>&nbsp;</P><P>Search-1:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"] | join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" | makemv inventory_field delim="~~"] | search inventory_field="upperA"</LI-CODE><P>&nbsp;</P><P>* This gives 0 results.</P><P>&nbsp;</P><P>Search-2:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"] | join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" ] | makemv inventory_field delim="~~" | search inventory_field="upperA"</LI-CODE><P>&nbsp;</P><P>* gives 2 results as expected with all fields:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VatsalJagani_0-1625493160512.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14941i66F7C6146132AB25/image-size/medium?v=v2&amp;px=400" role="button" title="VatsalJagani_0-1625493160512.png" alt="VatsalJagani_0-1625493160512.png" /></span></P><P>&nbsp;</P><P>It seems makemv (multi-valued field) does not work inside the join query. Do we know if this is documented or a bug?</P><P>&nbsp;</P> Mon, 05 Jul 2021 13:56:47 GMT https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558313#M158584 VatsalJagani 2021-07-05T13:56:47Z https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558319#M158585 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93915">@VatsalJagani</a>&nbsp;</P><P>I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.</P><P>Try this.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"] | join type=left group_by_field max=0 [| makeresults | eval group_by_field="A", inventory_field="upperA~~characterA" | eval inventory_field = split(inventory_field,"~~")] </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>So for some how to work the filter we have to again make it multivalued.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"] | join type=left group_by_field max=0 [| makeresults | eval group_by_field="A", inventory_field="upperA~~characterA" ] | eval inventory_field = split(inventory_field,"~~") | search inventory_field="upperA"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>So if it is expected behaviour of sub search with multivalue fields should be documented. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P><P>Still I'm searching more on the same.&nbsp;</P><P>Thanks</P><P>KV</P><P>&nbsp;</P> Mon, 05 Jul 2021 14:46:33 GMT https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558319#M158585 kamlesh_vaghela 2021-07-05T14:46:33Z https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558322#M158586 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp; - Yeah the solution works with both split() function and makemv command outside subsearch.</P><P>But, thanks for the confirmation on the behavior of subsearch with the multi-valued fields.</P> Mon, 05 Jul 2021 15:50:22 GMT https://community.splunk.com/t5/Splunk-Search/Makemv-function-does-not-work-inside-join/m-p/558322#M158586 VatsalJagani 2021-07-05T15:50:22Z