Manipulate and evaluate fields with multiple values

Manipulate and evaluate fields with multiple values

Splunk parses multivalue fields at search time, and allows you to process the values in the search pipeline. Search commands that work with multivalue fields include makemv, mvcombine, mvexpand, and nomv. The eval and where commands support functions, such as mvcount(), mvfilter(), mvindex(), and mvjoin() that you can use with multi-valued fields. For more information on these functions see the Functions for eval and where in the Search Reference manual and the examples on this page.

You can configure multi-value fields in fields.conf to tell Splunk how to recognize more than one field value in a single extracted field value. Edit fields.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on how to do this, see "Configure multivalue fields" in the Knowledge Manager manual.

Manipulate multivalued fields

Use nomv to convert a multivalue field into a single value

You can use the nomv command to convert values of the specified multivalued field into one single value. The nomv command overrides multivalue field configurations set in fields.conf.

In this example for sendmail events, you want to combine the values of the senders field into a single value.

Use makemv to separate a multivalue field

You can use the makemv command to separate multivalue fields into multiple single value fields. In this example for sendmail search results, you want to separate the values of the "senders" field into multiple field values.

After you separate the field values, you can pipe it through other commands. For example, you can display the top senders.

Use mvexpand to create multiple events based on a multivalue field

You can use the mvexpand command to expand the values of a multivalue field into separate events for each value of the multivalue field. In this example, Splunk creates new events for each value of multivalue field, "foo".

Use mvcombine to create a multivalue field from similar events

Combine the values of "foo" with ":" delimiter.

Evaluate multivalued fields

One of the more common examples of multivalue fields is that of email address fields, which typically appears two to three times in a single sendmail event--once for the sender, another time for the list of recipients, and possibly a third time for the list of Cc addresses, if one exists.

Count the number of values in a field

Use the mvcount() function to count the number of values in a single-valued or multivalued field.

In this example, mvcount() returns the number of email addresses in the To, From, and Cc fields and saves them in the specified "_count" fields.

Note: If only a single email address to exists in the sender field (as you would expect), mvcount(from) returns 1. Also, if there is no Cc address included, the Cc field might not exist for the event and mvcount(cc) returns NULL.

Filter values from a multivalued field

Use the mvfilter() function to filter a multivalued field using an arbitrary Boolean expression.

In this example, mvfilter() keeps all values of the field email that end in .net or .org:

Important: This function works with ONLY ONE field at a time.

Note: This example also uses the match() function to compare the pattern defined in quotes to the value of email. For more information, see Functions for eval and where in the Search Reference manual.

Return a subset of values from a multivalued field

Use the mvindex() function to reference a specific value or a subset of values in a multivalued field. Since the index numbering starts at 0, if you want to reference the 3rd value of a field, you would specify it as 2.

In this example, mvindex() returns the first email address in the "To" field for every email sent by Sender:

If you wanted to see the top 3 email addresses that Sender writes to each time:

Note: In this case, top_three is, itself, a multivalued field.

• Was this topic useful?
• Post a comment