Splunk Cloud Platform

Search Reference

nomv

Description

Converts values of the specified multivalue field into one single value. Separates the values using a new line "\n delimiter.

Overrides the configurations for the multivalue field that are set in the fields.conf file.

Syntax

nomv <field>

Required arguments

field
Syntax: <field>
Description: The name of a multivalue field.

Usage

The nomv command is a distributable streaming command. See Command types.

You can use evaluation functions and statistical functions on multivalue fields or to return multivalue fields.

Examples

Example 1:

For sendmail events, combine the values of the senders field into a single value. Display the top 10 values.

eventtype="sendmail" | nomv senders | top senders

See also

Commands:
makemv
mvcombine
mvexpand
convert

Functions:
Multivalue eval functions
Multivalue stats and chart functions
split

Last modified on 28 April, 2021
mvexpand   outlier

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters