Solved: Makemv function does not work inside join

VatsalJagani · ‎07-05-2021

Do we know the reason why Splunk search has below behaviour:

Search-1:

| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"]
| join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" | makemv inventory_field delim="~~"]
| search inventory_field="upperA"

* This gives 0 results.

Search-2:

| makeresults | eval group_by_field="A", other_field_1="1", other_field_2="test1" | append [| makeresults | eval group_by_field="A", other_field_1="2", other_field_2="test2"]
| join type=left group_by_field [| makeresults| eval group_by_field="A", inventory_field="upperA~~characterA" ]
| makemv inventory_field delim="~~"
| search inventory_field="upperA"

* gives 2 results as expected with all fields:

It seems makemv (multi-valued field) does not work inside the join query. Do we know if this is documented or a bug?

kamlesh_vaghela · ‎07-05-2021

@VatsalJagani

I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.

Try this.

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0 
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
    | eval inventory_field = split(inventory_field,"~~")]

So for some how to work the filter we have to again make it multivalued.

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
]
| eval inventory_field = split(inventory_field,"~~")
| search inventory_field="upperA"

So if it is expected behaviour of sub search with multivalue fields should be documented. 🙂

Still I'm searching more on the same.

Thanks

KV

View solution in original post

kamlesh_vaghela · ‎07-05-2021

@VatsalJagani

I don't think it is problem with makemv command, any multivalued field in sub search is converted into single value filed.

Try this.

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0 
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
    | eval inventory_field = split(inventory_field,"~~")]

So for some how to work the filter we have to again make it multivalued.

| makeresults 
| eval group_by_field="A", other_field_1="1", other_field_2="test1" 
| append 
    [| makeresults 
    | eval group_by_field="A", other_field_1="2", other_field_2="test2"] 
| join type=left group_by_field max=0
    [| makeresults 
    | eval group_by_field="A", inventory_field="upperA~~characterA" 
]
| eval inventory_field = split(inventory_field,"~~")
| search inventory_field="upperA"

So if it is expected behaviour of sub search with multivalue fields should be documented. 🙂

Still I'm searching more on the same.

Thanks

KV

VatsalJagani · ‎07-05-2021

@kamlesh_vaghela - Yeah the solution works with both split() function and makemv command outside subsearch.

But, thanks for the confirmation on the behavior of subsearch with the multi-valued fields.

Makemv function does not work inside join

join

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Splunk Classroom Chronicles: Training Tales and Testimonials