Splunk Cloud Platform

Search Reference

makemv

Description

Converts a single valued field into a multivalue field by splitting the values on a string delimiter or by using a regular expression. The delimiter can be a multicharacter delimiter.

The makemv command does not apply to internal fields.

See Use default fields in the Knowledge Manager Manual.

Syntax

makemv [delim=<string> | tokenizer=<string>] [allowempty=<bool>] [setsv=<bool>] <field>

Required arguments

field
Syntax: <field>
Description: The name of a field to generate the multivalues from.

Optional arguments

delim
Syntax: delim=<string>
Description: A string value used as a delimiter. Splits the values in field on every occurrence of this delimiter.
Default: A single space (" ").
tokenizer
Syntax: tokenizer=<string>
Description: A regular expression with a capturing group that is repeat-matched against the values in the field. For each match, the first capturing group is used as a value in the newly created multivalue field.
allowempty
Syntax: allowempty=<bool>
Description: Specifies whether to permit empty string values in the multivalue field. When using delim=true, repeats of the delimiter string produce empty string values in the multivalue field. For example if delim="," and field="a,,b", by default does not produce any value for the empty string. When using the tokenizer argument, zero length matches produce empty string values. By default they produce no values.
Default: false
setsv
Syntax: setsv=<bool>
Description: If true, the makemv command combines the decided values of the field into a single value, which is set on the same field. (The simultaneous existence of a multivalue and a single value for the same field is a problematic aspect of this flag.)
Default: false

Usage

The makemv command is a distributable streaming command. See Command types.

You can use evaluation functions and statistical functions on multivalue fields or to return multivalue fields.

Examples

1. Use a comma to separate field values

For sendmail search results, separate the values of "senders" into multiple values. Display the top values.

eventtype="sendmail" | makemv delim="," senders | top senders

2. Use a colon delimiter and allow empty values

Separate the value of "product_info" into multiple values.

... | makemv delim=":" allowempty=true product_info

3. Use a regular expression to separate values

The following search creates a result and adds three values to the my_multival field. The makemv command is used to separate the values in the field by using a regular expression.

| makeresults | eval my_multival="one,two,three" | makemv tokenizer="([^,]+),?" my_multival

See also

Commands:
mvcombine
mvexpand
nomv

Functions:
Multivalue eval functions
Multivalue stats and chart functions
split

Last modified on 05 October, 2022
makecontinuous   makeresults

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters