Getting Data In

mvcombine ignores specified delimiter

mcomfurf
Path Finder

We're indexing /var/log/secure, as one does, and I have a request to list users who've logged in in a comma-delimted list per host. I'm using the Splunk search

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats values(user) as "user" by host |  mvcombine delim="," user

This works great, but for some reason the results are not honoring the delim="," and so they're coming out as space-delimited instead. A minor annoyance, but pointers for getting this to do exactly as I want would be great.

0 Karma

peter7431
Explorer

This guy has the right answer here:
https://answers.splunk.com/answers/242855/mvcombine-ignores-specified-delimiter-1.html

In short, your search needs to move the delim parameter to your stats command, like this.

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats delim="," values(user) as "user" by host | mvcombine user

triest
Communicator

In this case, @peter7431's answer is probably the best answer. There are times when you aren't using stats to get the multi-value field so I wanted to follow-up with why it didn't work and two ways to make it work.

Why didn't it work?

mvcombine takes fields from different events and combines them. For example:

| gentimes start=-1 
| eval foo="cat;bear;monkey;horse;dog" 
| fields foo | eval foo=split(foo,";")
|  mvexpand foo

Then if we try mvcombine and use nomv, you can see the effect of the delim argument:

[...]
| mvcombine delim="DelimsROCK" foo
|  nomv foo

Other than the stats command, how can we make it work?

Option 1: Utilize mvexpand and nomv

The most obvious solution can be seen in my above example where I use mvexpand foo and nomv foo:
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| mvexpand user
| mvcombine delim="," user
| nomv user

Note: There are two additions mvexpand and nomv

Option 2 (preferred): Use the mvjoin

source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host 
| eval user=mvjoin(user,",")
0 Karma

mcomfurf
Path Finder

I want a table like so:

host 1 user1,user4,user8,user13
host2 user1,user2,user9,user11,user101
host3 user2,user4,user10

What I'm getting now is:

host 1 user1 user4 user8 user13
host2 user1 user2 user9 user11 user101
host3 user2 user4 user10

0 Karma

jrodman
Splunk Employee
Splunk Employee

What are you trying to do with mvcombine here? It looks like your stats command is requesting a multivalue field for user, but then you're trying to combine it. mvcombine works on multiple events, with single-value fields.

What do you want as your ultimate table?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...