Combines a group of results that are identical, except for the given field, into a single result where the given field is a
In more detail: accepts a set of input results and finds groups of results where all field values are identical, save the selected field. All of these results are merged into a single result, where the selected field is now
multivalue, containing all of the values from the merged results.
Because raw events have many fields that vary, this command is most typically useful after paring down the set of available fields with the
fields command. The command is also useful for manipulating the results of certain reporting commands.
As a special additional behavior,
mvcombine generates a single value version of the field as well that combines all the values into a single string. The string is delimited by the string from the
delim parameter. Some forms modes of investigating the search results prefer this single value representation, such as exporting to CSV in the UI, or running a command line search with
splunk search "..." -output csv. Some commands that are not
multivalue aware might use this single value as well.
Most forms of accessing the search results prefer the multivalue representation, such as viewing the results in the UI, or exporting to JSON, requesting JSON from the command line search with
splunk search "..." -output json or requesting JSON or XML from the REST API. For these forms of, the selected delim has no effect.
mvcombine [delim=<string>] <field>
- Syntax: <field>
- Description: The name of a field to merge on, generating a multivalue field.
- Syntax: delim=<string>
- Description: Defines the string to use to generate the combined-string form of the combined single value field. For example, if the values of your field are "1", "2", and "3", and delim is ", " then your combined single value field would be "1, 2, 3".
- Default: a single space, (" ")
You have three events that are the same except for the IP address value:
Nov 28 11:43:49 2014 host=datagen-host1 type=dhclient: bound to ip=188.8.131.52 message= ASCII renewal in 5807 seconds. Nov 28 11:43:49 2014 host=datagen-host1 type=dhclient: bound to ip=184.108.40.206 message= ASCII renewal in 5807 seconds. Nov 28 11:43:49 2014 host=datagen-host1 type=dhclient: bound to ip=220.127.116.11 message= ASCII renewal in 5807 seconds.
You want to return the three IP address in one field and delimit the values with a comma. For example:
ip="18.104.22.168, 22.214.171.124, 126.96.36.199".
Use the following search.
... | mvcombine delim="," ip
In multivalue events:
sourcetype="WMI:WinEventLog:Security" | fields EventCode, Category,RecordNumber | mvcombine delim="," RecordNumber | nomv RecordNumber
Combine the values of "foo" with a colon delimiter.
... | mvcombine delim=":" foo
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the mvcombine command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18