Solved: makemv not working

brinley · ‎07-24-2019

I have the following single-value field (that really should be a multi-value field):

puppy_name="Spot Dexter Jake"

It really should be a multivalue field, like ...

puppy_name="Spot" "Dexter" "Jack"

Here is what I have tried:

index=puppies | makemv puppy_name delim=" "

Unfortunately that is not working. I can tell because when when I expand an event with the field puppy_name and hover over puppy_name's value in the dropdown, "Spot Dexter Jack" is still a single unit. What am I doing wrong?

brinley · ‎07-24-2019

I figured it out. I was using the wrong delim. The delim between each puppy name appeared to be a space in the search results but it was really a newline. Passing delim="\n" to makemv didn't work, so I just converted the newlines into a bar, "|", and then used the bar as the delim.

Final query:

index="puppies" | eval new_puppy_name=puppy_name | rex mode=sed field="new_puppy_name" "s/\n/|/g"| makemv new_puppy_name delim="|"

View solution in original post

brinley · ‎07-24-2019

I figured it out. I was using the wrong delim. The delim between each puppy name appeared to be a space in the search results but it was really a newline. Passing delim="\n" to makemv didn't work, so I just converted the newlines into a bar, "|", and then used the bar as the delim.

Final query:

index="puppies" | eval new_puppy_name=puppy_name | rex mode=sed field="new_puppy_name" "s/\n/|/g"| makemv new_puppy_name delim="|"

makemv not working

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024