I'm trying to use where(isnotnull(mvfind(mvfield,field))) to search to see which records are part of a list. The fields are all strings, and some of them have parentheticals at the end. I noticed that mvfind does not seem to capture these fields. To illustrate my point, try the following search. | makeresults count=10
| streamstats count as n
| eval n=n-1
| eval n=case(n<3,"Test (".n.")",n<6,"Test ".n,n<9,"(".n.")",1=1,n)
| eventstats list(n) as mv
| eval index=mvfind(mv,n) When you do, you'll see that items 3-9 are captured, but 0-2 are not, even though the very values of n were used to generate the mv field. I currently have a workaround to just use rex commands to substitute different strings for the parenthesis, run my mvfind, and then use rex to substitute them back, but it feels a little ridiculous. Does anyone know why mvfind doesn't work here or a cleaner way to fix it?
... View more