https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155333#M7625 <P>Run the following search to see what exactly Splunk has indexed from that log line.</P> <PRE><CODE>eventType="adam.test" | table * </CODE></PRE> <P>That should give you a better idea about how to build your query.</P> Wed, 07 May 2014 12:19:05 GMT richgalloway 2014-05-07T12:19:05Z https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155332#M7624 <P>Log line:</P> <PRE><CODE>eventDate="2014-03-24 14:42:00.945" eventType="adam.test" eventDevice="test.client" dstip="44.184.5.99" srcip="44.184.5.99" domain="value6" domain="value9" ver="5" dstport="5" srcport="4" user="value4" proto="value8" </CODE></PRE> <P>Search:</P> <PRE><CODE>eventType="adam.test" | eval domain1=mvindex(domain,1) </CODE></PRE> <P>Result? Everything but no domain1 field.</P> <P>I am trying to search by second or first "domain" field value eval'ing it into domain1 - no luck.</P> Wed, 07 May 2014 12:10:04 GMT https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155332#M7624 adamguzek 2014-05-07T12:10:04Z https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155333#M7625 <P>Run the following search to see what exactly Splunk has indexed from that log line.</P> <PRE><CODE>eventType="adam.test" | table * </CODE></PRE> <P>That should give you a better idea about how to build your query.</P> Wed, 07 May 2014 12:19:05 GMT https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155333#M7625 richgalloway 2014-05-07T12:19:05Z https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155334#M7626 <P>You are right, Splunk indexed only one value for domain field... but why? </P> <P>Where and how should I configure that source to index data correctly?</P> Wed, 07 May 2014 12:40:28 GMT https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155334#M7626 adamguzek 2014-05-07T12:40:28Z https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155335#M7627 <P>The changes needed depend on how you're indexing the data now. Adding <CODE>'MV_ADD=true'</CODE> to your props.conf file may be enough. Providing your current relevant props.conf (and transforms.conf) stanzas will help us help you better.</P> Wed, 07 May 2014 13:56:02 GMT https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155335#M7627 richgalloway 2014-05-07T13:56:02Z https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155336#M7628 <P>MV_ADD=true was the trick...</P> Wed, 07 May 2014 14:21:28 GMT https://community.splunk.com/t5/Knowledge-Management/mkvalue-strange-problem/m-p/155336#M7628 adamguzek 2014-05-07T14:21:28Z