Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert to multivalue field?

pc1234
Explorer
‎10-11-2022 04:06 PM

I'm trying to convert a field with multiple results into a multivalue field.

I'm querying a host lookup table that has several hostnames. I'd like to create a single multivalue field containing all the hostnames returned by the inputlookup command separated by a comma. I'm using the makemv command to do this but it returns each host as a separate result instead of a single result with all the hosts separated by commas. 

 

Any suggestions?

here's my query:

| inputlookup host_table

fields hostname
| makemv delim="," hostname

| table hostname

 

Thanks in advance.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-11-2022 04:32 PM

First, please clarify that you want a comma-delimited string as output, not a multivalue field.  Is this correct?  to get a true multivalue field, use

| inputlookup host_table
| stats values(hostname) as hostname

To get one comma-separated text string, do

| inputlookup host_table
| stats values(hostname) as hostname
| eval hostname = mvjoin(hostname, ",")

This latter output will be single-valued.

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...