i need events that have FieldA(a, b) and FieldB is the same value for the events....

index= source FieldA("a","b") will return all events

i want to filter it so that only events that have matching values in FieldB and the values in field a differ

so i would expect events 1, 3, 5, and 6 to return from the table above

I think I understand now.  Here's how I did that.

| makeresults | eval _raw="event fieldA fieldB
1     a      1
2     a      2
3     b      1
4     a      2
5     b      3
6     a      3
7     a      4
8     a      5
9     a      6"
| multikv forceheader=1
```Everything above just creates test data```
```Count the number of events and get a list of all the fieldA's for each fieldB
| eventstats count, values(fieldA) as A_fields by fieldB
```Filter out the singletons```
| where count > 1 AND mvcount(A_fields) > 1
| table event fieldA fieldB

did i do this wrong?:

Remove the backticks on the end of the first line.

I did that and it resulted in 0 results. However, i know there is at least 2 events that meet the criteria, both have the same FieldB value and one has FieldA (a) and the other has FieldA (b). I am trying to see if there are any more occurrences.

Run the query one pipe at a time until it breaks.  Then you'll know the problem command.  At each step, verify the results are what you expect.

but i don't know the values in FieldB prior to searching

i need events that have FieldA(a, b) and FieldB is the same value for the events....

index= source FieldA("a","b") will return all events

i want to filter it so that only events that have matching values in FieldB and the values in field a differ

so i would expect events 1, 3, 5, and 6 to return from the table above

but i do not know the values for FieldB at the time of search.