We would like to be able to find out if a certain field which occurs several times in a transaction changes its value during that transaction (e.g. the browser language changes during a session)
We have a rex that grabs all the values into a mv-field. What we would like to do now is a:
mvdistinctcount(mvfield) -> if the result is bigger than 1 we win.
We thought that doing this would accomplish the same:
... | eval first_element=mvindex(my_WT_ul,0)
| eval same_ul = mvfilter(match(my_WT_ul, first_element))
| eval lang_change=mvcount(my_WT_ul)-mvcount(same_ul)
The idea here being if all the values are equal to the first value in the field we will get a list that has the same length as the original otherwise we don't
But the mvfilter does not like fields in the match function if we supply a static string we are ok.
This is the error message we get:
Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.
There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:
... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1
You can read more about stats functions in the search reference manual.
View solution in original post
even better! (^_^)/
Hi sophy, thanks for your solution. What worked for me in the end was this: ... | eventstats values(mvfield) as mvfieldvalues by mvfield | where mvcount(mvfieldvalues) > 1