Solved: Makemv command question

bcarr12 · ‎11-20-2017

What is the best way to use the Makemv command when my logs have no delimiter? For example:

field=abcd

Where a, b, c, and d are unique values. I'm looking to get the count of each in my logs, but I am wondering what the best way would be to delimit them. The values will always be a single letter and the "end" of the field/value pair will be a space. For example:

field1=value1 field=abcd field3=value3

Thanks!

elliotproebstel · ‎11-20-2017

I'd add a delimiter (like a comma) with a regex and then makemv afterwards:

| stats count | eval this="abcd" | rex field=this mode=sed "s/(.)/\1,/g" | makemv delim="," this

View solution in original post

elliotproebstel · ‎11-20-2017

I'd add a delimiter (like a comma) with a regex and then makemv afterwards:

| stats count | eval this="abcd" | rex field=this mode=sed "s/(.)/\1,/g" | makemv delim="," this

bcarr12 · ‎11-20-2017

Thank you! This was exactly what I needed to do. Much appreciated.

Makemv command question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation