Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using multivalue field as field-list for transaction

Puliyo
Engager
‎06-23-2020 06:29 PM

When multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite the events have common multivalue field.

Example Query:

 

 

| makeresults count=4
| streamstats count
| eval abc="123"
| eval def=if(count!=2, "456", null())
| eval ghi=if(count!=1, "789", null())
| eval abc=mvdedup(mvappend(abc, def, ghi))
| transaction abc keeporphans=1 keepevicted=1

 

 

I'd expect all 4 events to be combined to 1 as all events have common value of "123".

However this is not the case.

Is there any way to make this happen?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Puliyo
Engager
‎06-23-2020 06:42 PM

Guess I've figured it out myself.

Solution is to specify all the fields in field-list.

| transaction abc,def,ghi keeporphans=1 keepevicted=1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:50 PM

Changing the mvappend to make them a sorted single value will give you a transaction on events where abc has the same set of MV values

| eval abc=mvjoin(mvsort(mvdedup(mvappend(abc, def, ghi))),",")

 but not where any of the individual values has a common value. Not sure if that would be possible. I suspect you would have to run mvexpand on the value of abc to create separate events for that distinct value before running the transaction.

 

0 Karma
Reply
Solved! Jump to solution
Solution

Puliyo
Engager
‎06-23-2020 06:42 PM

Guess I've figured it out myself.

Solution is to specify all the fields in field-list.

| transaction abc,def,ghi keeporphans=1 keepevicted=1
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...