When multivalue field is given as field-list for transaction, transaction does not attempt to combine the events despite the events have common multivalue field.
| makeresults count=4 | streamstats count | eval abc="123" | eval def=if(count!=2, "456", null()) | eval ghi=if(count!=1, "789", null()) | eval abc=mvdedup(mvappend(abc, def, ghi)) | transaction abc keeporphans=1 keepevicted=1
I'd expect all 4 events to be combined to 1 as all events have common value of "123".
However this is not the case.
Is there any way to make this happen?
Changing the mvappend to make them a sorted single value will give you a transaction on events where abc has the same set of MV values
| eval abc=mvjoin(mvsort(mvdedup(mvappend(abc, def, ghi))),",")
but not where any of the individual values has a common value. Not sure if that would be possible. I suspect you would have to run mvexpand on the value of abc to create separate events for that distinct value before running the transaction.