Solved: MV field split by comma and not line break

mdsnmss · ‎04-21-2017

I have a group of multivalue fields that are listed with linebreaks . I'm looking to remove the line breaks from one field and have them separated by comma instead. Here is the structure and what I am looking for:

Original:
FieldA | FieldB |FieldC |FieldD |FieldE
Val1   | val1   | val1  | val1  | val1
       | val2   | val2
       | val3   | val3
       | etc    | etc
Val2   | val1   | val1  | val1  | val1
       | val2   | val2
       | val3   | val3
       |etc     |etc

Desired:
FieldA | FieldB             |FieldC |FieldD |FieldE
Val1   | val1,val2,val3,etc | val1  | val1  | val1
                            | val2
                            | val3
                            | etc
Val2   | val1,val2,val3,etc | val1  | val1  | val1
                            | val2
                            | val3
                            | etc

Sorry if the formatting is a bit confusing. I tried using "makemv FieldB delim=","" and got the field values to appear on the same row but with a space instead of a comma. Any ideas?

mdsnmss · ‎04-21-2017

I got it. Use mvjoin in an eval.

| eval FieldB=mvjoin(FieldB,",")

View solution in original post

mdsnmss · ‎04-21-2017

I got it. Use mvjoin in an eval.

| eval FieldB=mvjoin(FieldB,",")

MV field split by comma and not line break

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!