Monitoring Splunk

can we use semicolon instead of comma in MVZIP

smolcj
Builder

is it possible to use semicolon instead of comma in MVZIP??

Tags (1)
0 Karma

DalJeanis
Legend

If you mean "can I use semicolon to separate the data from the two zipped multivalue fields ", then the answer is yes.

 | eval mydata=mvzip(Field1, Field2,";") 

Using the above on Field1 which has value...

Field1Value1
Field1Value2
Field1Value3

...and Field2 which has value...

Field2ValueA
Field2ValueB
Field2ValueC

...results in a multivalue field named mydata with...

Field1Value1;Field2ValueA
Field1Value2;Field2ValueB
Field1Value3;Field2ValueC
0 Karma

ajrichardson
Engager

no it is not possible. This is the error you will get:
Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...