mvcombine
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
mvcombine
Synopsis
Combines events in the search results that have a single differing field value into one result with a multi-value field of the differing field.
Syntax
mvcombine [delim=string] field
Arguments
- delim
- Datatype: <string>
- Description: Defines the string character to delimit each value.
Description
For each group of results that are identical except for the given field, combine them into a single result where the given field is a multivalue field. delim controls how values are combined, defaulting to a space character (' ').
Examples
Example 1: Combine the values of "foo" with ":" delimiter.
... | mvcombine delim=":" foo
See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.