topic Re: mvcombine ignores specified delimiter in Getting Data In

mvcombine ignores specified delimiter

mcomfurf — Fri, 22 May 2015 19:41:11 GMT

We're indexing /var/log/secure, as one does, and I have a request to list users who've logged in in a comma-delimted list per host. I'm using the Splunk search

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats values(user) as "user" by host |  mvcombine delim="," user

This works great, but for some reason the results are not honoring the delim="," and so they're coming out as space-delimited instead. A minor annoyance, but pointers for getting this to do exactly as I want would be great.

Re: mvcombine ignores specified delimiter

jrodman — Sat, 23 May 2015 02:52:33 GMT

What are you trying to do with mvcombine here? It looks like your stats command is requesting a multivalue field for user, but then you're trying to combine it. mvcombine works on multiple events, with single-value fields.

What do you want as your ultimate table?

Re: mvcombine ignores specified delimiter

mcomfurf — Tue, 26 May 2015 18:00:25 GMT

I want a table like so:

host 1 user1,user4,user8,user13
host2 user1,user2,user9,user11,user101
host3 user2,user4,user10

What I'm getting now is:

host 1 user1 user4 user8 user13
host2 user1 user2 user9 user11 user101
host3 user2 user4 user10

Re: mvcombine ignores specified delimiter

peter7431 — Thu, 29 Oct 2015 14:35:51 GMT

This guy has the right answer here:
https://answers.splunk.com/answers/242855/mvcombine-ignores-specified-delimiter-1.html

In short, your search needs to move the delim parameter to your stats command, like this.

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats delim="," values(user) as "user" by host | mvcombine user

Re: mvcombine ignores specified delimiter

triest — Mon, 30 Jan 2017 17:10:06 GMT

In this case, @peter7431's answer is probably the best answer. There are times when you aren't using stats to get the multi-value field so I wanted to follow-up with why it didn't work and two ways to make it work.

Why didn't it work?

mvcombine takes fields from different events and combines them. For example:

| gentimes start=-1 
| eval foo="cat;bear;monkey;horse;dog" 
| fields foo | eval foo=split(foo,";")
|  mvexpand foo

Then if we try mvcombine and use nomv, you can see the effect of the delim argument:

[...]
| mvcombine delim="DelimsROCK" foo
|  nomv foo

Other than the stats command, how can we make it work?

Option 1: Utilize `mvexpand` and `nomv`

The most obvious solution can be seen in my above example where I use mvexpand foo and nomv foo:
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| mvexpand user
| mvcombine delim="," user
| nomv user

Note: There are two additions mvexpand and nomv

Option 2 (preferred): Use the `mvjoin`

source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host 
| eval user=mvjoin(user,",")

topic Re: mvcombine ignores specified delimiter in Getting Data In

mvcombine ignores specified delimiter

Re: mvcombine ignores specified delimiter

Re: mvcombine ignores specified delimiter

Re: mvcombine ignores specified delimiter

Re: mvcombine ignores specified delimiter

Why didn't it work?

Other than the stats command, how can we make it work?

Option 1: Utilize mvexpand and nomv

Option 2 (preferred): Use the mvjoin

Option 1: Utilize `mvexpand` and `nomv`

Option 2 (preferred): Use the `mvjoin`