I have events that I'm joining together via transaction. Once in a transaction a field can have multiple values. How can I then search for only transactions that have more than 3 values for that field?
Try mvcount()
from the docs
mvcount(X) This function takes an field X and returns the number of values of that field if the field is multivalued, 1 if the field is single valued, and NULL otherwise.
Example: ... | eval n=mvcount(multifield)
Try mvcount()
from the docs
mvcount(X) This function takes an field X and returns the number of values of that field if the field is multivalued, 1 if the field is single valued, and NULL otherwise.
Example: ... | eval n=mvcount(multifield)
much cleaner than the other method I was using. Thanks!