https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34354#M7370 <P>Hi Chris,</P> <P>There is also a <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Stats" rel="nofollow">stats function</A>, <CODE>values()</CODE>, that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:</P> <PRE><CODE>... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) &gt; 1 </CODE></PRE> <P>You can read more about <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions" rel="nofollow">stats functions</A> in the search reference manual.</P> Fri, 28 Jan 2011 01:10:59 GMT sophy 2011-01-28T01:10:59Z https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34353#M7369 <P>Hi everyone</P> <P>We would like to be able to find out if a certain field which occurs several times in a transaction changes its value during that transaction (e.g. the browser language changes during a session)</P> <P>We have a rex that grabs all the values into a mv-field. What we would like to do now is a: mvdistinctcount(mvfield) -&gt; if the result is bigger than 1 we win.</P> <P>We thought that doing this would accomplish the same: </P> <PRE><CODE>... | eval first_element=mvindex(my_WT_ul,0) | eval same_ul = mvfilter(match(my_WT_ul, first_element)) | eval lang_change=mvcount(my_WT_ul)-mvcount(same_ul) </CODE></PRE> <P>The idea here being if all the values are equal to the first value in the field we will get a list that has the same length as the original otherwise we don't</P> <P>But the mvfilter does not like fields in the match function if we supply a static string we are ok.</P> <P>This is the error message we get:</P> <P>Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.</P> <P>Any ideas?</P> <P>Cheers Chris</P> Thu, 27 Jan 2011 23:43:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34353#M7369 chris 2011-01-27T23:43:24Z https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34354#M7370 <P>Hi Chris,</P> <P>There is also a <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Stats" rel="nofollow">stats function</A>, <CODE>values()</CODE>, that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:</P> <PRE><CODE>... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) &gt; 1 </CODE></PRE> <P>You can read more about <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/CommonStatsFunctions" rel="nofollow">stats functions</A> in the search reference manual.</P> Fri, 28 Jan 2011 01:10:59 GMT https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34354#M7370 sophy 2011-01-28T01:10:59Z https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34355#M7371 <P>Hi sophy, thanks for your solution. What worked for me in the end was this: ... | eventstats values(mvfield) as mvfieldvalues by mvfield | where mvcount(mvfieldvalues) &gt; 1</P> Fri, 28 Jan 2011 16:31:36 GMT https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34355#M7371 chris 2011-01-28T16:31:36Z https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34356#M7372 <P>even better! (^_^)/</P> Sat, 29 Jan 2011 01:07:00 GMT https://community.splunk.com/t5/Splunk-Search/Using-variables-in-mvfilter-with-match-or-how-to-get-an/m-p/34356#M7372 sophy 2011-01-29T01:07:00Z