Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do i specify a multivalue field when I’m outputting key/value pairs?

splunkIT
Splunk Employee
Splunk Employee
‎09-22-2015 08:26 AM

So let's say i want an event
field1=blah field2=blah field3=blah,blah2,blah3

and i want field 3 to be extracted at a multivalue field without any extra config? Do i need to do something special? Is there some special way to output this to where splunk will extract it as a multivalue without any extra config? commas definitely don’t work, also field3=blah field3=blah2 also don’t work

Reply

Flynt
Splunk Employee
Splunk Employee
‎09-22-2015 08:37 AM

If you want to do this at search time -

Use makemv to make the field a multivalue field

|stats count|fields - count|eval field1="blah"|eval field2="blah" |eval field3="blah,blah2,blah3"|table *|makemv field3 delim=","

This will give you -

field1  field2   field3
blah    blah     blah
                   blah2
                   blah3

In your Splunk results. Note that we tell it what delim to use.

Reply

splunkIT
Splunk Employee
Splunk Employee
‎09-22-2015 10:53 AM

I need to know how to have splunk AUTOMATICALLY extract multivalues from the format specified. Or is this not possible?

0 Karma
Reply

somesoni2
Revered Legend
‎09-22-2015 11:40 AM

Splunk can not automatically extract multivalued field from the format in question. Values are delimited by comma (for field3) which can be a valid character in the value. The only option is to handle it during search-time (this answer by @Flynt OR using props/transforms config files.

Reply

RicoSuave
Builder
‎09-22-2015 08:32 AM

You can use this in your search: http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/mvexpand

Or configure props.conf with:

KV_MODE = multi

Reply

splunkIT
Splunk Employee
Splunk Employee
‎10-05-2015 05:48 PM

MV_ADD might also work as well:
http://answers.splunk.com/answers/109827/multiple-key-value-pairs-during-search.html

http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
already exists.
* If set to true, the extractor makes the field a multivalued field and
appends the newly found value, otherwise the newly found value is
discarded.
* Defaults to false

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...