Solved: mvcombine ignores specified delimiter

markwymer · ‎06-11-2015

My apologies for the duplicated question - I wasn't sure whether I could tag my particular situation re- mvcombine not using the delimiter when specified.

The search I'm using is
* | stats list(Logon_Source_IP) AS IPList | mvcombine delim=" OR " IPList

what I was hoping to get is (example)
192.10.0.4 OR 192.11.4.23 OR 192.15.12.13

what I'm actually getting back is:
192.10.0.4 192.11.4.23 192.15.12.13

i.e. no delimiter

Any ideas? I did notice that, in another post, someone had used
* | stats delim=" OR " list(Logon_Source_IP) AS IPList
but that ignored the delimiter too.

Any ideas?

markwymer · ‎06-11-2015

Hi,

Not sure whether this is a bug or a documentation issue - either way I'm unable to raise a support case as, technically, we're still doing a POC on Splunk.

However, after a phone call and a bit more hunting I came across this document..... http://answers.splunk.com/answers/102260/delim-argument-in-stats-function-no-longer-supported.html - and this answer works perfectly.

My search is now:
* | stats delim=" OR " list(Logon_Source_IP) AS IPList | mvcombine IPList
which gives me the results I'd hoped for.

View solution in original post

markwymer · ‎06-11-2015

Hi,

Not sure whether this is a bug or a documentation issue - either way I'm unable to raise a support case as, technically, we're still doing a POC on Splunk.

However, after a phone call and a bit more hunting I came across this document..... http://answers.splunk.com/answers/102260/delim-argument-in-stats-function-no-longer-supported.html - and this answer works perfectly.

My search is now:
* | stats delim=" OR " list(Logon_Source_IP) AS IPList | mvcombine IPList
which gives me the results I'd hoped for.

mvcombine ignores specified delimiter

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?