makemv
Description
Converts a single valued field into a multivalue field by splitting the values on a string delimiter or by using a regular expression. The delimiter can be a multicharacter delimiter.
The makemv command does not apply to internal fields.
See Use default fields in the Knowledge Manager Manual.
Syntax
makemv [delim=<string> | tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>
Required arguments
- field
- Syntax: <field>
- Description: The name of a field to generate the multivalues from.
Optional arguments
- delim
- Syntax: delim=<string>
- Description: A string value used as a delimiter. Splits the values in
fieldon every occurrence of this delimiter. - Default: A single space (" ").
- tokenizer
- Syntax: tokenizer=<string>
- Description: A regular expression with a capturing group that is repeat-matched against the values in the field. For each match, the first capturing group is used as a value in the newly created multivalue field.
- allowempty
- Syntax: allowempty=<bool>
- Description: Specifies whether to permit empty string values in the multivalue field. When using
delim=true, repeats of the delimiter string produce empty string values in the multivalue field. For example ifdelim=","andfield="a,,b", by default does not produce any value for the empty string. When using thetokenizerargument, zero length matches produce empty string values. By default they produce no values. - Default: false
- setsv
- Syntax: setsv=<bool>
- Description: If true, the
makemvcommand combines the decided values of the field into a single value, which is set on the same field. (The simultaneous existence of a multivalue and a single value for the same field is a problematic aspect of this flag.) - Default: false
Usage
The makemv command is a distributable streaming command. See Command types.
You can use evaluation functions and statistical functions on multivalue fields or to return multivalue fields.
Examples
1. Use a comma to separate field values
For sendmail search results, separate the values of "senders" into multiple values. Display the top values.
eventtype="sendmail" | makemv delim="," senders | top senders
2. Use a colon delimiter and allow empty values
Separate the value of "product_info" into multiple values.
... | makemv delim=":" allowempty=true product_info
3. Use a regular expression to separate values
The following search creates a result and adds three values to the my_multival field. The makemv command is used to separate the values in the field by using a regular expression.
| makeresults
| eval my_multival="one,two,three"
| makemv tokenizer="([^,]+),?" my_multival
See also
Commands:
mvcombine
mvexpand
nomv
Functions:
Multivalue eval functions
Multivalue stats and chart functions
split
| makecontinuous | makeresults |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!