How to convert to multivalue field?

pc1234 · ‎10-11-2022

I'm trying to convert a field with multiple results into a multivalue field.

I'm querying a host lookup table that has several hostnames. I'd like to create a single multivalue field containing all the hostnames returned by the inputlookup command separated by a comma. I'm using the makemv command to do this but it returns each host as a separate result instead of a single result with all the hosts separated by commas.

Any suggestions?

here's my query:

| inputlookup host_table

fields hostname
| makemv delim="," hostname

| table hostname

Thanks in advance.

yuanliu · ‎10-11-2022

First, please clarify that you want a comma-delimited string as output, not a multivalue field. Is this correct? to get a true multivalue field, use

| inputlookup host_table
| stats values(hostname) as hostname

To get one comma-separated text string, do

| inputlookup host_table
| stats values(hostname) as hostname
| eval hostname = mvjoin(hostname, ",")

This latter output will be single-valued.

How to convert to multivalue field?

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

How to convert to multivalue field?

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions