Suppose I have some numerical field
A, and some numerical multivalue field,
Suppose I want to find all values in
mv_B that are greater than
I envision something like the following:
search... | eval mv_Results=mvfilter(mv_B > A)
However, this does NOT work. The documentation states the following:
This function filters a multivalue field based on an arbitrary Boolean expression X. The Boolean expression X can reference ONLY ONE field at a time.
Hence, the above code will not work, but the following code would.
search... | eval mv_Results=mvfilter(mv_B > 10)
In short, what is the best way to accomplish this task? I've tried searching the community answers to no avail. Is there a practical solution?
| makeresults | eval a="23" | eval b="22,23,24,24,25" | makemv delim="," b | mvexpand b | eval result=if(b>a,b,null()) | stats values(a) as a list(b) as b values(result) as result
Thanks for the reply! Is there any way to accomplish this without the use of
The reason I ask is because, if I have multiple multivalue fields
m1, m2, ... mn which I need to compare against, the number of rows will grow rapidly.
I have the same need ( comparing a multivalued numercial field with a single value ) but without using the command mvexpand.
is there any other solution ?