Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

multivalues in field

ken_t_huang
Explorer
‎06-14-2011 08:28 PM

I have a data like this:

NUM=001,Rules="Food Water"

NUM=002,Rules="Water Product"

NUM=003,Rules="Water"

NUM=004,Rules="Product"

NUM=005,Rules="Water Product"

and when I pick the field for "Rules", it shows:

rules (categorical)
Top 10 values of rules
Value               #     %
**Water Product     2     40%
Food Water          1     20%
Water               1     20%
Product             1     20%**

how can I show the correct category? like below:

rules (categorical)
Top 10 values of rules
Value       #     %
**Water     4     50%
Product     3     37.5%
Food        1     12.5%**

please kindly help this issue, thanks.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-14-2011 11:05 PM

This should work to turn the Rules field into a multivalue field. 

<your search> | makemv delim=" " Rules

http://www.splunk.com/base/Documentation/latest/SearchReference/makemv

Or you dont want to use the search language to do it, you can read about how to configure the Rules field to automatically become extracted as a multivalued field. http://www.splunk.com/base/Documentation/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-14-2011 11:05 PM

This should work to turn the Rules field into a multivalue field. 

<your search> | makemv delim=" " Rules

http://www.splunk.com/base/Documentation/latest/SearchReference/makemv

Or you dont want to use the search language to do it, you can read about how to configure the Rules field to automatically become extracted as a multivalued field. http://www.splunk.com/base/Documentation/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

0 Karma
Reply
Solved! Jump to solution

ken_t_huang
Explorer
‎06-14-2011 11:18 PM

hi nick, thanks you answer, I think set configure is better, but I don't know clear about this configure, could you give me an example? thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...