https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506826#M141775 <P>Hi bowesmana,</P><P>great idea - this put me on the right track.</P><P>What I do now is to use an eval before the makemv that creates an ID value if empty, that matches my tokenizer but cannot occur in the real data.</P><P>After the the mvexpand I use another eval to remove this dummy-ID again.</P><P>Seems to work fine. And two evals should be better than two searches.</P><P>Thank you very much and kind regards,</P><P>Gunnar</P> Wed, 01 Jul 2020 07:34:47 GMT Gunnar 2020-07-01T07:34:47Z https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506523#M141714 <P>Hi,</P> <P>I have events similar to this example:</P> <P>1) date1, id1, misc</P> <P>2) date2, id2, misc</P> <P>3) date3, , misc</P> <P>4) date4, id3 and id4, misc</P> <P>The ids in 4) should be split into two separate lines.&nbsp; The result should look like this:</P> <P>1) date1, id1, misc</P> <P>2) date2, id2, misc</P> <P>3) date3, , misc</P> <P>4) date4, id3 , misc</P> <P>5) date4, id4, misc</P> <P>But when using makemv with tokenizer lines which do not match, the tokenizers are skipped in the result, e.g.:</P> <P>... | makemv tokenizer="(id\d)" ID | mvexpand ID | ...</P> <P>Results in:</P> <P>1) date1, id1, misc</P> <P>2) date2, id2, misc</P> <P>3) date4, id3 , misc</P> <P>4) date4, id4, misc</P> <P>How can I keep the non-matching lines? Is there a way to only use makemv where it is necessary?</P> <P>My workaround at the moment is to append a second search that looks for events with an empty ID and adds those events again after the makemv, e,g,:</P> <LI-CODE lang="markup">first search | ... | makemv tokenizer="(id\d)" ID | mvexpand ID | append [ first search again | ... | search NOT ID="*" | ... ] | ...</LI-CODE> <P>But searching twice can't be an optimal solution.</P> <P>Thank you,</P> <P>Gunnar</P> Wed, 01 Jul 2020 18:17:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506523#M141714 Gunnar 2020-07-01T18:17:45Z https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506797#M141767 <P>Not sure of the exact format of your data, but look at this example using split/mvexpand where fillnull is used to ensure the missing id gets preserved in the mvexpand</P><LI-CODE lang="markup">| makeresults count=4 | eval t=1 | accum t | eval _time=now() - (random() % 86400) | eval id=case(t=1,"id1",t=2,"id2",t=3,null,t=4,"id3 id4") | eval misc=random() | fields - t | eval id=split(id," ") | fillnull value="" id | mvexpand id</LI-CODE><P>It's likely that fillnull will solve your problem in your example makemv case also - set the value to whatever makes sense in your context.</P><P>Hope this helps</P><P>&nbsp;</P> Tue, 30 Jun 2020 22:33:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506797#M141767 bowesmana 2020-06-30T22:33:01Z https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506826#M141775 <P>Hi bowesmana,</P><P>great idea - this put me on the right track.</P><P>What I do now is to use an eval before the makemv that creates an ID value if empty, that matches my tokenizer but cannot occur in the real data.</P><P>After the the mvexpand I use another eval to remove this dummy-ID again.</P><P>Seems to work fine. And two evals should be better than two searches.</P><P>Thank you very much and kind regards,</P><P>Gunnar</P> Wed, 01 Jul 2020 07:34:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-makemv-with-tokenizers-while-keeping-non-matching/m-p/506826#M141775 Gunnar 2020-07-01T07:34:47Z