Getting Data In

mvcombine ignores specified delimiter

mcomfurf
Path Finder

We're indexing /var/log/secure, as one does, and I have a request to list users who've logged in in a comma-delimted list per host. I'm using the Splunk search

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats values(user) as "user" by host |  mvcombine delim="," user

This works great, but for some reason the results are not honoring the delim="," and so they're coming out as space-delimited instead. A minor annoyance, but pointers for getting this to do exactly as I want would be great.

0 Karma

peter7431
Explorer

This guy has the right answer here:
https://answers.splunk.com/answers/242855/mvcombine-ignores-specified-delimiter-1.html

In short, your search needs to move the delim parameter to your stats command, like this.

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats delim="," values(user) as "user" by host | mvcombine user

triest
Communicator

In this case, @peter7431's answer is probably the best answer. There are times when you aren't using stats to get the multi-value field so I wanted to follow-up with why it didn't work and two ways to make it work.

Why didn't it work?

mvcombine takes fields from different events and combines them. For example:

| gentimes start=-1 
| eval foo="cat;bear;monkey;horse;dog" 
| fields foo | eval foo=split(foo,";")
|  mvexpand foo

Then if we try mvcombine and use nomv, you can see the effect of the delim argument:

[...]
| mvcombine delim="DelimsROCK" foo
|  nomv foo

Other than the stats command, how can we make it work?

Option 1: Utilize mvexpand and nomv

The most obvious solution can be seen in my above example where I use mvexpand foo and nomv foo:
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| mvexpand user
| mvcombine delim="," user
| nomv user

Note: There are two additions mvexpand and nomv

Option 2 (preferred): Use the mvjoin

source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host 
| eval user=mvjoin(user,",")
0 Karma

mcomfurf
Path Finder

I want a table like so:

host 1 user1,user4,user8,user13
host2 user1,user2,user9,user11,user101
host3 user2,user4,user10

What I'm getting now is:

host 1 user1 user4 user8 user13
host2 user1 user2 user9 user11 user101
host3 user2 user4 user10

0 Karma

jrodman
Splunk Employee
Splunk Employee

What are you trying to do with mvcombine here? It looks like your stats command is requesting a multivalue field for user, but then you're trying to combine it. mvcombine works on multiple events, with single-value fields.

What do you want as your ultimate table?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...