makemv
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
makemv
Synopsis
Changes a specified field into a multi-value field during a search.
Syntax
makemv [delim=string|tokenizer=string] [allowempty=bool] [setsv=bool] field
Arguments
- delim
- Datatype: <string>
- Description: Defines one or more characters that separate each field value.
- tokenizer
- Datatype: <string>
- Description: Defines a regex tokenizer to delimit the field values.
- allowempty
- Datatype: <bool>
- Description: Specifies whether or not consecutive delimiters should be treated as one (default = false).
- setsv
- Datatype: <bool>
- Description: The setsv boolean option controls if the original value of the field should be kept for the single valued version (default = false).
Description
Treat specified field as multi-valued, using either a simple string delimiter (can be multicharacter), or a regex tokenizer. If neither is provided, a default delimiter of (single space) is assumed. The allowempty=bool option controls if consecutive delimiters should be treated as one (default = false). The setsv boolean option controls if the original value of the field should be kept for the single valued version. It is kept if setsv = false, and it is false by defult.
Examples
Example 1: For sendmail search results, separate the values of "senders" into multiple values. Then, display the top values.
eventtype="sendmail" | makemv delim="," senders | top sendersExample 2: Separate the value of "foo" into multiple values.
... | makemv delim=":" allowempty=t fooSee also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.