- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- mvcombine ignores specified delimiter
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mvcombine ignores specified delimiter
We're indexing /var/log/secure, as one does, and I have a request to list users who've logged in in a comma-delimted list per host. I'm using the Splunk search
source=/var/log/secure "pam_unix(sshd:session): session opened" | stats values(user) as "user" by host | mvcombine delim="," user
This works great, but for some reason the results are not honoring the delim="," and so they're coming out as space-delimited instead. A minor annoyance, but pointers for getting this to do exactly as I want would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This guy has the right answer here:
https://answers.splunk.com/answers/242855/mvcombine-ignores-specified-delimiter-1.html
In short, your search needs to move the delim parameter to your stats command, like this.
source=/var/log/secure "pam_unix(sshd:session): session opened" | stats delim="," values(user) as "user" by host | mvcombine user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case, @peter7431's answer is probably the best answer. There are times when you aren't using stats to get the multi-value field so I wanted to follow-up with why it didn't work and two ways to make it work.
Why didn't it work?
mvcombine takes fields from different events and combines them. For example:
| gentimes start=-1
| eval foo="cat;bear;monkey;horse;dog"
| fields foo | eval foo=split(foo,";")
| mvexpand foo
Then if we try mvcombine and use nomv, you can see the effect of the delim argument:
[...]
| mvcombine delim="DelimsROCK" foo
| nomv foo
Other than the stats command, how can we make it work?
Option 1: Utilize mvexpand and nomv
The most obvious solution can be seen in my above example where I use mvexpand foo and nomv foo:
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| mvexpand user
| mvcombine delim="," user
| nomv user
Note: There are two additions mvexpand and nomv
Option 2 (preferred): Use the mvjoin
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| eval user=mvjoin(user,",")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want a table like so:
host 1 user1,user4,user8,user13
host2 user1,user2,user9,user11,user101
host3 user2,user4,user10
What I'm getting now is:
host 1 user1 user4 user8 user13
host2 user1 user2 user9 user11 user101
host3 user2 user4 user10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you trying to do with mvcombine here? It looks like your stats command is requesting a multivalue field for user, but then you're trying to combine it. mvcombine works on multiple events, with single-value fields.
What do you want as your ultimate table?
Monitoring MariaDB and MySQL
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
