mvcombine
mvcombine
Synopsis
Combines events in the search results that have a single differing field value into one result with a multi-value field of the differing field.
Syntax
mvcombine [delim=<string>] <field>
Required arguments
- field
- Syntax: <field>
- Description: The name of a multivalue field.
Optional arguments
- delim
- Syntax: delim=<string>
- Description: Defines the string character to delimit each value. Defaults to a single space, (" ").
Description
For each group of results that are identical except for the given field, combine them into a single result where the given field is a multivalue field. delim controls how values are combined, defaulting to a space character (" ").
Examples
Example 1: Combine the values of "foo" with ":" delimiter.
... | mvcombine delim=":" foo
Example 2: Suppose you have three events:
Nov 28 11:43:48 2010 host=datagen-host1 type=dhclient: bound to ip=209.202.23.154 message= ASCII renewal in 5807 seconds.
Nov 28 11:43:49 2010 host=datagen-host1 type=dhclient: bound to ip=160.149.39.105 message= ASCII renewal in 5807 seconds.
Nov 28 11:43:49 2010 host=datagen-host1 type=dhclient: bound to ip=199.223.167.243 message= ASCII renewal in 5807 seconds.
... | mvcombine delim="," ip
Example 3: In a multivalued events:
sourcetype="WMI:WinEventLog:Security" | fields EventCode, Category,RecordNumber | mvcombine delim="," RecordNumber | nomv RecordNumberSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the mvcombine command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.