Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

multivalues in field

ken_t_huang
Explorer
‎06-14-2011 08:28 PM

I have a data like this:

NUM=001,Rules="Food Water"

NUM=002,Rules="Water Product"

NUM=003,Rules="Water"

NUM=004,Rules="Product"

NUM=005,Rules="Water Product"

and when I pick the field for "Rules", it shows:

rules (categorical)
Top 10 values of rules
Value               #     %
**Water Product     2     40%
Food Water          1     20%
Water               1     20%
Product             1     20%**

how can I show the correct category? like below:

rules (categorical)
Top 10 values of rules
Value       #     %
**Water     4     50%
Product     3     37.5%
Food        1     12.5%**

please kindly help this issue, thanks.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-14-2011 11:05 PM

This should work to turn the Rules field into a multivalue field. 

<your search> | makemv delim=" " Rules

http://www.splunk.com/base/Documentation/latest/SearchReference/makemv

Or you dont want to use the search language to do it, you can read about how to configure the Rules field to automatically become extracted as a multivalued field. http://www.splunk.com/base/Documentation/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-14-2011 11:05 PM

This should work to turn the Rules field into a multivalue field. 

<your search> | makemv delim=" " Rules

http://www.splunk.com/base/Documentation/latest/SearchReference/makemv

Or you dont want to use the search language to do it, you can read about how to configure the Rules field to automatically become extracted as a multivalued field. http://www.splunk.com/base/Documentation/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

0 Karma
Reply
Solved! Jump to solution

ken_t_huang
Explorer
‎06-14-2011 11:18 PM

hi nick, thanks you answer, I think set configure is better, but I don't know clear about this configure, could you give me an example? thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...