makemv
makemv
Synopsis
Changes a specified field into a multi-value field during a search.
Syntax
makemv [delim=<string>|tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>
Required arguments
- field
- Syntax: <field>
- Description: Specify the name of a field.
Optional arguments
- delim
- Syntax: delim=<string>
- Description: Defines one or more characters that separate each field value. Defaults to a single space (" ").
- tokenizer
- Syntax: tokenizer=<string>
- Description: Defines a regex tokenizer to delimit the field values.
- allowempty
- Syntax: allowempty=<bool>
- Description: Specifies whether or not consecutive delimiters should be treated as one. Defaults to false.
- setsv
- Syntax: setsv=<bool>
- Description: The setsv boolean option controls if the original value of the field should be kept for the single valued version. Defaults to false.
Description
Treat specified field as multi-valued, using either a simple string delimiter (can be multicharacter), or a regex tokenizer.
Examples
Example 1: For sendmail search results, separate the values of "senders" into multiple values. Then, display the top values.
eventtype="sendmail" | makemv delim="," senders | top sendersExample 2: Separate the value of "foo" into multiple values.
... | makemv delim=":" allowempty=t fooSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the makemv command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.