Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

mvcombine

Description

Combines a group of results that are identical, except for the given field, into a single result where the given field is a multivalue field.

In more detail: accepts a set of input results and finds groups of results where all field values are identical, save the selected field. All of these results are merged into a single result, where the selected field is now multivalue, containing all of the values from the merged results.

Because raw events have many fields that vary, this command is most typically useful after paring down the set of available fields with the fields command. The command is also useful for manipulating the results of certain reporting commands.

As a special additional behavior, mvcombine generates a single value version of the field as well that combines all the values into a single string. The string is delimited by the string from the delim parameter. Some forms modes of investigating the search results prefer this single value representation, such as exporting to CSV in the UI, or running a command line search with splunk search "..." -output csv. Some commands that are not multivalue aware might use this single value as well.

Most forms of accessing the search results prefer the multivalue representation, such as viewing the results in the UI, or exporting to JSON, requesting JSON from the command line search with splunk search "..." -output json or requesting JSON or XML from the REST API. For these forms of, the selected delim has no effect.


Syntax

mvcombine [delim=<string>] <field>

Required arguments

field
Syntax: <field>
Description: The name of a field to merge on, generating a multivalue field.

Optional arguments

delim
Syntax: delim=<string>
Description: Defines the string to use to generate the combined-string form of the combined single value field. For example, if the values of your field are "1", "2", and "3", and delim is ", " then your combined single value field would be "1, 2, 3".
Default: a single space, (" ")

Examples

Example 1:

You have three events that are the same except for the IP address value:

Nov 28 11:43:49 2014 host=datagen-host1 type=dhclient: bound to ip=209.202.23.154
message= ASCII renewal in 5807 seconds.
 
Nov 28 11:43:49 2014 host=datagen-host1 type=dhclient: bound to ip=160.149.39.105
message= ASCII renewal in 5807 seconds. 

Nov 28 11:43:49 2014 host=datagen-host1 type=dhclient: bound to ip=199.223.167.243
message= ASCII renewal in 5807 seconds.  

You want to return the three IP address in one field and delimit the values with a comma. For example: ip="209.202.23.154, 160.149.39.105, 199.223.167.243".

Use the following search.

... | mvcombine delim="," ip

Example 2:

In multivalue events:

sourcetype="WMI:WinEventLog:Security" | fields EventCode, Category,RecordNumber | mvcombine delim="," RecordNumber | nomv RecordNumber

Example 3:

Combine the values of "foo" with a colon delimiter.

... | mvcombine delim=":" foo

See also

makemv, mvexpand, nomv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the mvcombine command.

PREVIOUS
multikv
  NEXT
mvexpand

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

mvcombine squashes all other existing multivalue fields. Is this intended?

Rshoward
October 18, 2016

Hi, Can we update this doc with the info from this Answer? (https://answers.splunk.com/answers/242855/mvcombine-ignores-specified-delimiter-1.html)
The delim option seems to be ignored when using STATS to create the multivalue field.

Kmugglet
June 14, 2016

Thanks, Jguarini! I corrected Example 2.

Sophy, Splunker
January 9, 2013

example 2 should say "delimits the values with a comma," and not colon since the delim is a comma

Jguarini
January 8, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters