Solved: makemv delims not working

mcm10285 · ‎06-26-2013

Hi, don't seem to see the problem but makemv doesn't work on the search below.

sourcetype=st1 < some search >|rename field3 as mvfield|makemv mvfield delim=","|stats count by field1 field2 mvfield

This results to 3 matching events and the table below:

field1a field2b mvfield3C

field1a field2b mvfield3D

field1a field2b mvfield3E

I was hoping it would be:

field1a field2b mvfield3C,mvfield3D,mvfield3E

Or instead of commas, a carriage return. Not really sure if makemv is the right command.

mcm10285 · ‎06-26-2013

Figured this one out. Had to use transaction to make events as one event and get an actual multivalue field.

omidg · ‎04-20-2017

I know this is an old question but maybe this will help a beginner out there like me.

It is important to make sure that the value of the field has double quotes around it.

For example:

| makemv delim="," Field

Field=192.168.1.100,192.168.1.120 => will NOT work
Field="192.168.1.100,192.168.1.120" => will work

mcm10285 · ‎06-26-2013

Figured this one out. Had to use transaction to make events as one event and get an actual multivalue field.

makemv delims not working