Data that has multiple values in a single field can be difficult to view in a report. Splunk’s Search Processing Language (SPL) offers several functions that can make this data more readable, including the mvjoin command.
What is the Splunk mvjoin function?
The mvjoin command (remember: mv means “Multi Value”) allows the Splunk user to collate data onto a single line and separate the data by a delimiter. The delimiter can be any character including spaces.
The Benefits of Splunk mvjoin
The figure below shows the output from a “|stats values” command/function. This tends to be a little confusing to interpret. Utilizing mvjoin can make multivalue outputs more readable.
The syntax for mvjoin via “| eval” (for this example)
| eval <new field name>=mvjoin(fieldname,”delimiter”)
In the figure below, spaces between the values, in the field “Value_Field” are being utilized.
<search> | stats values(Value) AS Values BY host | eval Value_Field=mvjoin(Values,” “)
In the next example, a forward slash along with spaces demonstrates another option
<search> | stats values(Value) AS Values BY host | eval Value_Field=mvjoin(Values,” / “)
Any character, or combination of characters can be used as a delimiter.
Conclusion
Presenting data in a highly readable form is a goal that all Splunkers should strive for. Stakeholders appreciate knowledge objects that are concise and interpreted easily. The mvjoin function is a tool that easily accomplishes this.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
No comment yet, add your voice below!