Splunk Search

makemv delims not working

Communicator

Hi, don't seem to see the problem but makemv doesn't work on the search below.

sourcetype=st1 < some search >|rename field3 as mvfield|makemv mvfield delim=","|stats count by field1 field2 mvfield

This results to 3 matching events and the table below:

field1a field2b mvfield3C

field1a field2b mvfield3D

field1a field2b mvfield3E

I was hoping it would be:

field1a field2b mvfield3C,mvfield3D,mvfield3E

Or instead of commas, a carriage return. Not really sure if makemv is the right command.

Tags (2)
1 Solution

Communicator

Figured this one out. Had to use transaction to make events as one event and get an actual multivalue field.

View solution in original post

Engager

I know this is an old question but maybe this will help a beginner out there like me.

It is important to make sure that the value of the field has double quotes around it.

For example:

| makemv delim="," Field

Field=192.168.1.100,192.168.1.120 => will NOT work
Field="192.168.1.100,192.168.1.120" => will work

Communicator

Figured this one out. Had to use transaction to make events as one event and get an actual multivalue field.

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!