Solved: MV field split by comma and not line break

mdsnmss · ‎04-21-2017

I have a group of multivalue fields that are listed with linebreaks . I'm looking to remove the line breaks from one field and have them separated by comma instead. Here is the structure and what I am looking for:

Original:
FieldA | FieldB |FieldC |FieldD |FieldE
Val1   | val1   | val1  | val1  | val1
       | val2   | val2
       | val3   | val3
       | etc    | etc
Val2   | val1   | val1  | val1  | val1
       | val2   | val2
       | val3   | val3
       |etc     |etc

Desired:
FieldA | FieldB             |FieldC |FieldD |FieldE
Val1   | val1,val2,val3,etc | val1  | val1  | val1
                            | val2
                            | val3
                            | etc
Val2   | val1,val2,val3,etc | val1  | val1  | val1
                            | val2
                            | val3
                            | etc

Sorry if the formatting is a bit confusing. I tried using "makemv FieldB delim=","" and got the field values to appear on the same row but with a space instead of a comma. Any ideas?

mdsnmss · ‎04-21-2017

I got it. Use mvjoin in an eval.

| eval FieldB=mvjoin(FieldB,",")

View solution in original post

mdsnmss · ‎04-21-2017

I got it. Use mvjoin in an eval.

| eval FieldB=mvjoin(FieldB,",")

MV field split by comma and not line break

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

MV field split by comma and not line break

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR