Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Makemv example not working

blurblebot
Communicator
‎04-25-2011 03:40 PM

In trying to use makemv, which seems incredibly simple, I've been ingesting multiple iterations of a single event with multiple values per the single key to get a working example of my own. I've had to regress down to what I thought would be the simplest possible data sample, but with still no success.

My data is:

direction=up, down, left, right

That's it. I can call that event up with it's manually-labeled sourcetype (sample009), and it appears correctly. However, makemv does nothing to it.

my search:

sourcetype=sample009 | makemv delim=", " direction | stats count(direction)

yields a one-row table, where I'd have expected a four-row table.

Next, 

sourcetype=sample009 | makemv delim=", " direction

yields 1 value for direction (up). I would have expected 4 values.

I don't think it's possible to make a much simpler set of data to experiment with, so am I fundamentally misunderstanding something, or is this a bug? Maybe I have some funky precedence issue?

Tags (1)
0 Karma
Reply

acdevlin
Communicator
‎08-10-2011 10:07 AM

I'm having trouble replicating your issue. In my own data, I have a field called "other" which looks similar to this:

"204.2.223.84, 204.2.223.84, 72.163.4.153" 50496/0

My query to split it was the following:

sourcetype="access_combined" | makemv delim="," other | top other

The results were as follows:

alt text

So makemv DID successfully split up the field, albiet with a few weird formatting issues that could probably be fixed if I were willing to spend the time on it. The point remains: I'm not seeing the problem that you are having on my end, for whatever reason.

Given the (seemingly) finnicky nature of makemv, I would thus recommend seeking alternatives to makemv. As one example, it looks like you can fiddle with fields.conf to extract direction as a multivalue field (see http://docs.splunk.com/Documentation/Splunk/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields).

If you absolutely must have makemv in your query, I apologize but it seems to be working properly on my end and I have no clue as to where your problem lies.

Reply

blurblebot
Communicator
‎08-10-2011 04:22 PM

confs it is. thank you

0 Karma
Reply

acdevlin
Communicator
‎08-10-2011 02:43 PM

Huh...I would not have guessed that the quotes mattered. Good find!

The only alternative I can think of for not using quotes at the moment is - again - to avoid using makemv. I guess if the effort of changing your .conf files correctly is less than the effort of retrofitting those data sources, it might be something to consider.

Reply

blurblebot
Communicator
‎08-10-2011 10:51 AM

How can we get past having to enclose all of our multivalue values in quotes, or is that just par for the course? It wouldn't be a big deal if it didn't mean having to retrofit all of our data sources to include quotes around multivalue values, but it does.

0 Karma
Reply

blurblebot
Communicator
‎08-10-2011 10:51 AM

acdevlin - Thanks for your example. There is a key difference between your sample data and ours, however: quotes.

In all of my examples, none of my individual values (or groups of values) are enclosed with quotes, but your example data is. We've tried enclosing the multiple values of a fresh data sample in quotes, and that has made a big difference. It works.

...

Reply

bwooden
Splunk Employee
Splunk Employee
‎04-25-2011 07:16 PM

You've taken good steps in isolating the variable and trying a few different techniques. The difficulty you're experiencing may be related to 'events' vs 'results'. In the search app, you can switch between the event view, the event table, and the results table. Most searches pick the best view to use automatically.

If you would just like to just see 4 results you could split by direction:

sourcetype=sample009 | makemv delim=", " direction | stats count by direction

To see 4 events you could invoke the mvexpand command:

sourcetype=sample009 | makemv delim=", " direction | mvexpand direction
Reply

yasaracar
Explorer
‎10-16-2015 06:43 AM

I had the same problem, I could find makemv delim="," solution everywhere, but mvexpand was really helpful for the solution.
Thanks a lot

0 Karma
Reply

landen99
Motivator
‎11-07-2014 12:59 PM

Your code matches values on "," or " " (space) and yield null values which require that you add the option allowempty=t
That is my theory.

0 Karma
Reply

RVDowning
Contributor
‎05-10-2012 01:21 PM

I've been pulling my hair out over this. At least now I understand why I haven't been getting my use of makemv to work. They need to fix this. I'm on 4.3 and it still doesn't work.

0 Karma
Reply

blurblebot
Communicator
‎08-10-2011 08:51 AM

crickets....

0 Karma
Reply

blurblebot
Communicator
‎04-26-2011 08:10 AM

My point is that none of these, your examples included, create 4 of anything. (except tears)

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...