topic create a multivalue field, based on multiple single value fields with the same field name in Splunk Search https://community.splunk.com/t5/Splunk-Search/create-a-multivalue-field-based-on-multiple-single-value-fields/m-p/510159#M142750 <P>Hi there, I have a bit of a tough one.</P><P>I have a log with multiple entries of the same field, basically a list of values. I am trying to merge these values into a single new field, with a line for every value that was in the RAW event.</P><P>An example:</P><P><SPAN>2020-07-21T01:52:37+00:00 devicename=device1 | id=a522131 | date=2020-07-21T01:51:20 | name=peter | score=5 | action=read&nbsp;| randomfield1=nothingimportant | score=2 | action=read | score=2 | action=write | score=2 | action=write | randomfield2=nothingimportant</SPAN><BR /><BR /><SPAN>The intended resulting table where "actions" is a mv field, listing all actions (merging "score" and "action" as well), each on a line, but within the single field (actions):</SPAN></P><P><SPAN>name=peter</SPAN><BR /><SPAN>actions=</SPAN><BR /><SPAN>5:read</SPAN><BR /><SPAN>2:read</SPAN><BR /><SPAN>2:write</SPAN><BR /><SPAN>2:write</SPAN></P> Tue, 21 Jul 2020 04:37:56 GMT fsiemons 2020-07-21T04:37:56Z create a multivalue field, based on multiple single value fields with the same field name https://community.splunk.com/t5/Splunk-Search/create-a-multivalue-field-based-on-multiple-single-value-fields/m-p/510159#M142750 <P>Hi there, I have a bit of a tough one.</P><P>I have a log with multiple entries of the same field, basically a list of values. I am trying to merge these values into a single new field, with a line for every value that was in the RAW event.</P><P>An example:</P><P><SPAN>2020-07-21T01:52:37+00:00 devicename=device1 | id=a522131 | date=2020-07-21T01:51:20 | name=peter | score=5 | action=read&nbsp;| randomfield1=nothingimportant | score=2 | action=read | score=2 | action=write | score=2 | action=write | randomfield2=nothingimportant</SPAN><BR /><BR /><SPAN>The intended resulting table where "actions" is a mv field, listing all actions (merging "score" and "action" as well), each on a line, but within the single field (actions):</SPAN></P><P><SPAN>name=peter</SPAN><BR /><SPAN>actions=</SPAN><BR /><SPAN>5:read</SPAN><BR /><SPAN>2:read</SPAN><BR /><SPAN>2:write</SPAN><BR /><SPAN>2:write</SPAN></P> Tue, 21 Jul 2020 04:37:56 GMT https://community.splunk.com/t5/Splunk-Search/create-a-multivalue-field-based-on-multiple-single-value-fields/m-p/510159#M142750 fsiemons 2020-07-21T04:37:56Z Re: create a multivalue field, based on multiple single value fields with the same field name https://community.splunk.com/t5/Splunk-Search/create-a-multivalue-field-based-on-multiple-single-value-fields/m-p/510233#M142784 <P>See if this helps.</P><LI-CODE lang="markup">| makeresults | eval _raw="2020-07-21T01:52:37+00:00 devicename=device1 | id=a522131 | date=2020-07-21T01:51:20 | name=peter | score=5 | action=read | randomfield1=nothingimportant | score=2 | action=read | score=2 | action=write | score=2 | action=write | randomfield2=nothingimportant" ```Above just creates test data``` | rex "\bname=(?&lt;name&gt;\w+)" | rex max_match=0 "score=(?&lt;score&gt;\d+)" | rex max_match=0 "action=(?&lt;action&gt;\w+)" | eval actions=mvzip(score, action, ":") | table name actions</LI-CODE> Tue, 21 Jul 2020 13:20:17 GMT https://community.splunk.com/t5/Splunk-Search/create-a-multivalue-field-based-on-multiple-single-value-fields/m-p/510233#M142784 richgalloway 2020-07-21T13:20:17Z