Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using multivalue field as field-list for transaction

Puliyo
Engager
‎06-23-2020 06:29 PM

When multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite the events have common multivalue field.

Example Query:

 

 

| makeresults count=4
| streamstats count
| eval abc="123"
| eval def=if(count!=2, "456", null())
| eval ghi=if(count!=1, "789", null())
| eval abc=mvdedup(mvappend(abc, def, ghi))
| transaction abc keeporphans=1 keepevicted=1

 

 

I'd expect all 4 events to be combined to 1 as all events have common value of "123".

However this is not the case.

Is there any way to make this happen?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Puliyo
Engager
‎06-23-2020 06:42 PM

Guess I've figured it out myself.

Solution is to specify all the fields in field-list.

| transaction abc,def,ghi keeporphans=1 keepevicted=1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:50 PM

Changing the mvappend to make them a sorted single value will give you a transaction on events where abc has the same set of MV values

| eval abc=mvjoin(mvsort(mvdedup(mvappend(abc, def, ghi))),",")

 but not where any of the individual values has a common value. Not sure if that would be possible. I suspect you would have to run mvexpand on the value of abc to create separate events for that distinct value before running the transaction.

 

0 Karma
Reply
Solved! Jump to solution
Solution

Puliyo
Engager
‎06-23-2020 06:42 PM

Guess I've figured it out myself.

Solution is to specify all the fields in field-list.

| transaction abc,def,ghi keeporphans=1 keepevicted=1
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...