Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF



Converts a single valued field into a multivalue field by splitting it on a simple string delimiter, which can be a multicharacter. Alternatively, splits field by using a regex.


makemv [delim=<string> | tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>

Required arguments

Syntax: <field>
Description: Specify the name of a field.

Optional arguments

Syntax: delim=<string>
Description: A string value used as a delimiter. Splits the values in field on every occurrence of this string.
Default: A single space (" ").
Syntax: tokenizer=<string>
Description: A regex, with a capturing group, that is repeat-matched against the text of field. For each match, the first capturing group is used as a value of the newly created multivalue field.
Syntax: allowempty=<bool>
Description: Specifies whether to permit empty string values in the multivalue field. When using delim=true, repeats of the delimiter string produce empty string values in the multivalue field. For example if delim="," and field="a,,b", by default does not produce any value for the empty string. When using the tokenizer argument, zero length matches produce empty string values. By default they produce no values.
Default: false
Syntax: setsv=<bool>
Description: If true, the makemv command combines the decided values of the field into a single value, which is set on the same field. (The simultaneous existence of a multivalue and a single value for the same field is a problematic aspect of this flag.)
Default: false


There evaluation functions and statistical functions that you can use on multivalue fields or to return multivalue fields.


Example 1:

For sendmail search results, separate the values of "senders" into multiple values. Display the top values.

eventtype="sendmail" | makemv delim="," senders | top senders

Example 2:

Separate the value of "foo" into multiple values.

... | makemv delim=":" allowempty=true foo

See also


Multivalue eval functions
Multivalue stats and chart functions


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the makemv command.

Last modified on 01 August, 2017

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters