When multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite the events have common multivalue field.
Example Query:
| makeresults count=4
| streamstats count
| eval abc="123"
| eval def=if(count!=2, "456", null())
| eval ghi=if(count!=1, "789", null())
| eval abc=mvdedup(mvappend(abc, def, ghi))
| transaction abc keeporphans=1 keepevicted=1
I'd expect all 4 events to be combined to 1 as all events have common value of "123".
However this is not the case.
Is there any way to make this happen?
Guess I've figured it out myself.
Solution is to specify all the fields in field-list.
| transaction abc,def,ghi keeporphans=1 keepevicted=1
Changing the mvappend to make them a sorted single value will give you a transaction on events where abc has the same set of MV values
| eval abc=mvjoin(mvsort(mvdedup(mvappend(abc, def, ghi))),",")
but not where any of the individual values has a common value. Not sure if that would be possible. I suspect you would have to run mvexpand on the value of abc to create separate events for that distinct value before running the transaction.
Guess I've figured it out myself.
Solution is to specify all the fields in field-list.
| transaction abc,def,ghi keeporphans=1 keepevicted=1