Splunk Search

Makemv function does not work inside join

VatsalJagani
SplunkTrust
SplunkTrust

Do we know the reason why Splunk search has below behaviour:

 

Search-1:

 

| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"]
| join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" | makemv inventory_field delim="~~"]
| search inventory_field="upperA"

 

* This gives 0 results.

 

Search-2:

 

| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"]
| join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" ]
| makemv inventory_field delim="~~"
| search inventory_field="upperA"

 

* gives 2 results as expected with all fields:

VatsalJagani_0-1625493160512.png

 

It seems makemv (multi-valued field) does not work inside the join query. Do we know if this is documented or a bug?

 

Labels (1)
Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@VatsalJagani 

I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.

Try this.

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0 
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
    | eval inventory_field = split(inventory_field,"~~")] 

 

 

So for some how to work the filter we have to again make it multivalued. 

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
]
| eval inventory_field = split(inventory_field,"~~")
| search inventory_field="upperA"

 

 

So if it is expected behaviour of sub search with multivalue fields should be documented. 🙂 

 

Still I'm searching more on the same. 

Thanks

KV

 

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@VatsalJagani 

I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.

Try this.

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0 
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
    | eval inventory_field = split(inventory_field,"~~")] 

 

 

So for some how to work the filter we have to again make it multivalued. 

 

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
]
| eval inventory_field = split(inventory_field,"~~")
| search inventory_field="upperA"

 

 

So if it is expected behaviour of sub search with multivalue fields should be documented. 🙂 

 

Still I'm searching more on the same. 

Thanks

KV

 

VatsalJagani
SplunkTrust
SplunkTrust

@kamlesh_vaghela  - Yeah the solution works with both split() function and makemv command outside subsearch.

But, thanks for the confirmation on the behavior of subsearch with the multi-valued fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...