Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

makemv

Description

Converts a single valued field into a multivalue field by splitting it on a simple string delimiter, which can be a multicharacter. Alternatively, splits field by using a regex.

Syntax

makemv [delim=<string> | tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>

Required arguments

field
Syntax: <field>
Description: Specify the name of a field.

Optional arguments

delim
Syntax: delim=<string>
Description: Split field on every occurrence of this string.
Default: A single space (" ").
tokenizer
Syntax: tokenizer=<string>
Description: A regex, with a capturing group, that is repeat-matched against the text of field. For each match, the first capturing group is used as a value of the newly created multivalue field.
allowempty
Syntax: allowempty=<bool>
Description: Permit empty string values in the multivalue field. When using the delim argument, this means that repeats of the delim string produce an empty string value. For example delim="," and field="a,,b". By default this does produce any value. When using the tokenizer argument, zero length matches produce empty string values. By default they produce no values.
Default: false
setsv
Syntax: setsv=<bool>
Description: If true, the makemv command combines the decided values of the field into a single value, which is set on the same field. (The simultaneous existence of a multivalue and a single value for the same field is a problematic aspect of this flag.)
Default: false

Examples

Example 1:

For sendmail search results, separate the values of "senders" into multiple values. Display the top values.

eventtype="sendmail" | makemv delim="," senders | top senders

Example 2:

Separate the value of "foo" into multiple values.

... | makemv delim=":" allowempty=true foo

See also

mvcombine, mvexpand, nomv,

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the makemv command.

PREVIOUS
makecontinuous
  NEXT
map

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

I do not know if it is a bug or not but this is both unexpected and *undocumented*!
It appears that makemv first calls nomv, and then does its work. This means that if you pass it a field that is already multi-valued and you pass it a delim that does not exist, the behavior of makemv is simply nomv!

Woodcock
April 11, 2016

Is a newline available as a delim and if so how is it specified?

Gilescope
November 21, 2014

There should be an example or description for how to use the tokenizer option.<br /><br />From testing it out and reading Splunk answers, it seems to use the first capture group in the regex as the token, and the rest of the regex for detecting the delimiter. Is this correct?

Laserval
February 4, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters