- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, don't seem to see the problem but makemv doesn't work on the search below.
sourcetype=st1 < some search >|rename field3 as mvfield|makemv mvfield delim=","|stats count by field1 field2 mvfield
This results to 3 matching events and the table below:
field1a field2b mvfield3C
field1a field2b mvfield3D
field1a field2b mvfield3E
I was hoping it would be:
field1a field2b mvfield3C,mvfield3D,mvfield3E
Or instead of commas, a carriage return. Not really sure if makemv is the right command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured this one out. Had to use transaction to make events as one event and get an actual multivalue field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old question but maybe this will help a beginner out there like me.
It is important to make sure that the value of the field has double quotes around it.
For example:
| makemv delim="," Field
Field=192.168.1.100,192.168.1.120 => will NOT work
Field="192.168.1.100,192.168.1.120" => will work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured this one out. Had to use transaction to make events as one event and get an actual multivalue field.
