Suppose I have some numerical field A
, and some numerical multivalue field, mv_B
.
Suppose I want to find all values in mv_B
that are greater than A
.
I envision something like the following:
search...
| eval mv_Results=mvfilter(mv_B > A)
However, this does NOT work. The documentation states the following:
mvfilter(X)
This function filters a multivalue field based on an arbitrary Boolean expression X. The Boolean expression X can reference ONLY ONE field at a time.
Hence, the above code will not work, but the following code would.
search...
| eval mv_Results=mvfilter(mv_B > 10)
In short, what is the best way to accomplish this task? I've tried searching the community answers to no avail. Is there a practical solution?
Hi @abulco01
Please try
| makeresults
| eval a="23"
| eval b="22,23,24,24,25"
| makemv delim="," b
| mvexpand b
| eval result=if(b>a,b,null())
| stats values(a) as a list(b) as b values(result) as result
Hi @abulco01
Please try
| makeresults
| eval a="23"
| eval b="22,23,24,24,25"
| makemv delim="," b
| mvexpand b
| eval result=if(b>a,b,null())
| stats values(a) as a list(b) as b values(result) as result
Hello @vnravikumar
Thanks for the reply! Is there any way to accomplish this without the use of mvexpand
?
The reason I ask is because, if I have multiple multivalue fields m1, m2, ... mn
which I need to compare against, the number of rows will grow rapidly.
Hello,
I have the same need ( comparing a multivalued numercial field with a single value ) but without using the command mvexpand.
is there any other solution ?