Solved: Makemv command question

bcarr12 · ‎11-20-2017

What is the best way to use the Makemv command when my logs have no delimiter? For example:

field=abcd

Where a, b, c, and d are unique values. I'm looking to get the count of each in my logs, but I am wondering what the best way would be to delimit them. The values will always be a single letter and the "end" of the field/value pair will be a space. For example:

field1=value1 field=abcd field3=value3

Thanks!

elliotproebstel · ‎11-20-2017

I'd add a delimiter (like a comma) with a regex and then makemv afterwards:

| stats count | eval this="abcd" | rex field=this mode=sed "s/(.)/\1,/g" | makemv delim="," this

View solution in original post

elliotproebstel · ‎11-20-2017

I'd add a delimiter (like a comma) with a regex and then makemv afterwards:

| stats count | eval this="abcd" | rex field=this mode=sed "s/(.)/\1,/g" | makemv delim="," this

bcarr12 · ‎11-20-2017

Thank you! This was exactly what I needed to do. Much appreciated.

Makemv command question

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!