In my search, I'm using a transaction. After that, I create a table from the results, then I want to apply an
eventstats last() function.
In my table, I have two columns, let's say colA, and colB.
If I'm running the transaction without any further arguments, the
last() function works for both columns, like this:
| transaction keyfield | table colA, colB, keyfield | eventstats last(colA) as last_colA, last(colB) as last_colB by keyfield
However, for another reason, I need to run the transaction with mvlist=t.
When I do this, the eventstats function fails, but only for one column.
In this case, fails for colA, but works fine with colB.
I don't get what is the difference, since I'm having the same type of values in both columns.
If it works for one column, why does it fail for the other one?
Do you get single value for lastcolA and lastcolB columns OR multivalued fields?
I am guessing that the issue here is something to do with multivalue fields.
A couple of options come to mind, do eventstats first...
| eventstats last(colA) as lastcolA, last(colB) as lastcolB by keyfield
| transaction keyfield
| table colA, colB, lastcolA, lastcolB, keyfield
That said transaction and eventstats is REALLY REALLY inefficient. I would suggest eliminating transaction command altogether because it can be a monster resource hog and yield incomplete results when used for high volume searches. Eventstats is pretty brutal too.
| stats list(colA) AS colA last(colA) as lastcolA list(colB) AS colB last(colB) as lastcolB by keyfield
| stats list(colA) AS colA list(colB) AS colB by keyfield
| eval lastcolA=mvindex(colA,-1)
| eval lastcolB=mvindex(colB,-1)
Let me know if this works and relative performance.