Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF



Converts a single valued field into a multivalue field by splitting it on a simple string delimiter, which can be a multicharacter. Alternatively, splits field by using a regex.


makemv [delim=<string> | tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>

Required arguments

Syntax: <field>
Description: Specify the name of a field.

Optional arguments

Syntax: delim=<string>
Description: Split field on every occurrence of this string.
Default: A single space (" ").
Syntax: tokenizer=<string>
Description: A regex, with a capturing group, that is repeat-matched against the text of field. For each match, the first capturing group is used as a value of the newly created multivalue field.
Syntax: allowempty=<bool>
Description: Permit empty string values in the multivalue field. When using the delim argument, this means that repeats of the delim string produce an empty string value. For example delim="," and field="a,,b". By default this does produce any value. When using the tokenizer argument, zero length matches produce empty string values. By default they produce no values.
Default: false
Syntax: setsv=<bool>
Description: If true, the makemv command combines the decided values of the field into a single value, which is set on the same field. (The simultaneous existence of a multivalue and a single value for the same field is a problematic aspect of this flag.)
Default: false


Example 1:

For sendmail search results, separate the values of "senders" into multiple values. Display the top values.

eventtype="sendmail" | makemv delim="," senders | top senders

Example 2:

Separate the value of "foo" into multiple values.

... | makemv delim=":" allowempty=true foo

See also

mvcombine, mvexpand, nomv,


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the makemv command.


This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


I do not know if it is a bug or not but this is both unexpected and *undocumented*!
It appears that makemv first calls nomv, and then does its work. This means that if you pass it a field that is already multi-valued and you pass it a delim that does not exist, the behavior of makemv is simply nomv!

April 11, 2016

Is a newline available as a delim and if so how is it specified?

November 21, 2014

There should be an example or description for how to use the tokenizer option.<br /><br />From testing it out and reading Splunk answers, it seems to use the first capture group in the regex as the token, and the rest of the regex for detecting the delimiter. Is this correct?

February 4, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters