Related Answers
Download topic as PDF
makemv
Description
Converts a single valued field into a multivalue field by splitting it on a simple string delimiter, which can be a multicharacter. Alternatively, splits field by using a regex.
Syntax
makemv [delim=<string> | tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>
Required arguments
- field
- Syntax: <field>
- Description: Specify the name of a field.
Optional arguments
- delim
- Syntax: delim=<string>
- Description: A string value used as a delimiter. Splits the values in
fieldon every occurrence of this string. - Default: A single space (" ").
- tokenizer
- Syntax: tokenizer=<string>
- Description: A
regex, with a capturing group, that is repeat-matched against the text of field. For each match, the first capturing group is used as a value of the newly created multivalue field.
- allowempty
- Syntax: allowempty=<bool>
- Description: Specifies whether to permit empty string values in the multivalue field. When using
delim=true, repeats of the delimiter string produce empty string values in the multivalue field. For example ifdelim=","andfield="a,,b", by default does not produce any value for the empty string. When using thetokenizerargument, zero length matches produce empty string values. By default they produce no values. - Default: false
- setsv
- Syntax: setsv=<bool>
- Description: If true, the
makemvcommand combines the decided values of the field into a single value, which is set on the same field. (The simultaneous existence of a multivalue and a single value for the same field is a problematic aspect of this flag.) - Default: false
Usage
There evaluation functions and statistical functions that you can use on multivalue fields or to return multivalue fields.
Examples
Example 1:
For sendmail search results, separate the values of "senders" into multiple values. Display the top values.
eventtype="sendmail" | makemv delim="," senders | top senders
Example 2:
Separate the value of "foo" into multiple values.
... | makemv delim=":" allowempty=true foo
See also
Commands:
mvcombine
mvexpand
nomv
Functions:
Multivalue eval functions
Multivalue stats and chart functions
split
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the makemv command.
|
PREVIOUS makecontinuous |
NEXT makeresults |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Comments
The "See Also" section should also include these:
split and http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/MultivalueEvalFunctions
The same is true for the docs for other "mv*" commands and split:
mvcombine, mvexpand, nomv, split
Woodcock
Thank you for the suggestion. I have updated the "See also" section.