Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using multivalue field as field-list for transaction

Puliyo
Engager
‎06-23-2020 06:29 PM

When multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite the events have common multivalue field.

Example Query:

 

 

| makeresults count=4
| streamstats count
| eval abc="123"
| eval def=if(count!=2, "456", null())
| eval ghi=if(count!=1, "789", null())
| eval abc=mvdedup(mvappend(abc, def, ghi))
| transaction abc keeporphans=1 keepevicted=1

 

 

I'd expect all 4 events to be combined to 1 as all events have common value of "123".

However this is not the case.

Is there any way to make this happen?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Puliyo
Engager
‎06-23-2020 06:42 PM

Guess I've figured it out myself.

Solution is to specify all the fields in field-list.

| transaction abc,def,ghi keeporphans=1 keepevicted=1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:50 PM

Changing the mvappend to make them a sorted single value will give you a transaction on events where abc has the same set of MV values

| eval abc=mvjoin(mvsort(mvdedup(mvappend(abc, def, ghi))),",")

 but not where any of the individual values has a common value. Not sure if that would be possible. I suspect you would have to run mvexpand on the value of abc to create separate events for that distinct value before running the transaction.

 

0 Karma
Reply
Solved! Jump to solution
Solution

Puliyo
Engager
‎06-23-2020 06:42 PM

Guess I've figured it out myself.

Solution is to specify all the fields in field-list.

| transaction abc,def,ghi keeporphans=1 keepevicted=1
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...