Hello,
I used to work on Splunk and working with multi values field, and it's easy break multivalue fields using "stats x by xx" command and perform a where filter after.
We considered this log with multi values field :
{ "multivaluefield" : ["toto","kiki","123"] }
Ex of the Splunk Query :
| index="test"
| stats c by multivaluefield
| where multivaluefield="toto"
The splunk result will only return "toto" value.
Instead of ELK, i perform split using data table then Buckets --> split rows by multivaluefield.
I tried to combine using query dsl to only filter on "toto" value :
{
"query": {
"bool": {
"must": [
{
"regexp": {
"multivaluefield": "toto"
}
}
]
}
}
}
But, elk returned all result of my multi value field 
How i can perfom the same behavior of Splunk on ELK ?
Regards,
Ishu
