Splunk Search

Makemv function does not work inside join

VatsalJagani
Champion

Do we know the reason why Splunk search has below behaviour:

 

Search-1:

 

| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"]
| join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" | makemv inventory_field delim="~~"]
| search inventory_field="upperA"

 

* This gives 0 results.

 

Search-2:

 

| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"]
| join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" ]
| makemv inventory_field delim="~~"
| search inventory_field="upperA"

 

* gives 2 results as expected with all fields:

VatsalJagani_0-1625493160512.png

 

It seems makemv (multi-valued field) does not work inside the join query. Do we know if this is documented or a bug?

 

Labels (1)
Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@VatsalJagani 

I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.

Try this.

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0 
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
    | eval inventory_field = split(inventory_field,"~~")] 

 

 

So for some how to work the filter we have to again make it multivalued. 

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
]
| eval inventory_field = split(inventory_field,"~~")
| search inventory_field="upperA"

 

 

So if it is expected behaviour of sub search with multivalue fields should be documented. 🙂 

 

Still I'm searching more on the same. 

Thanks

KV

 

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@VatsalJagani 

I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.

Try this.

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0 
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
    | eval inventory_field = split(inventory_field,"~~")] 

 

 

So for some how to work the filter we have to again make it multivalued. 

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
]
| eval inventory_field = split(inventory_field,"~~")
| search inventory_field="upperA"

 

 

So if it is expected behaviour of sub search with multivalue fields should be documented. 🙂 

 

Still I'm searching more on the same. 

Thanks

KV

 

VatsalJagani
Champion

@kamlesh_vaghela  - Yeah the solution works with both split() function and makemv command outside subsearch.

But, thanks for the confirmation on the behavior of subsearch with the multi-valued fields.

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...