Have you ever been stick with a single value field and needed it to bring a little more… value? This week’s Splunk search command, makemv adds that value.
Let’s talk about makemv. Makemv is a command that you can use when you have a field, and that field has multiple values. Here is an example of a field with multiple values.
Figure 1 – example of a field with multiple values in Splunk
How to use makemv
Here field1 has the values of 1, 2, 3, 4, and 5. By using the makemv command we can separate out these values. Let’s take a look.
Figure 2 – example of separated values using makemv
Using the delim argument
As you can see, Splunk has successfully divided out the values associated with this field. To use the makemv command successfully you have to give the delim argument, once you let Splunk know what delim it’s looking for, make sure to surround it in quotes. After that, all you need to do is provide the field that has multiple values and let Splunk do the rest! Here is an example of Splunk separating out colons.
Figure 3 – Splunk separating out colons with makemv
Extract field values with regex
The makemv command can also use regex to extract the field values. Let’s take a look at how to construct that. Here is an example.
Figure 4 – makemv command using regex
Here, all I wanted from the field values was the name of the email address. To do this you need to use the tokenizer argument instead of the delim, while the regex takes care of separating the values. Now that you have some basic understanding of the makemv command, try it out in your environment! Happy Splunking!
Ask the Experts
Our Splunk Search Command Series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!
