Data that has multiple values in a single field can be difficult to view in a report. Using the mvjoin command from Splunk’s Search Processing Language (SPL) offers several functions that can make this data more readable.
What is the Splunk mvjoin Function?
The mvjoin command (remember: mv means “Multi Value”) allows the Splunk user to collate data onto a single line and separate the data by a delimiter. The delimiter can be any character including spaces.
The Benefits of Splunk mvjoin
The figure below shows the output from a “|stats values” command/function. This tends to be a little confusing to interpret. Utilizing mvjoin can make multivalue outputs more readable.
The syntax for mvjoin via “| eval” (for this example)
| eval <new field name>=mvjoin(fieldname,”delimiter”)
In the figure below, spaces between the values, in the field “Value_Field” are being utilized.
<search>
| stats values(Value) AS Values BY host
| eval Value_Field=mvjoin(Values,” “)
In the next example, a forward slash along with spaces demonstrates another option. Any character, or combination of characters can be used as a delimiter.
<search>
| stats values(Value) AS Values BY host
| eval Value_Field=mvjoin(Values,” / “)
Conclusion
Presenting data in a highly readable form is a goal that all Splunkers should strive for. Stakeholders appreciate knowledge objects that are concise and interpreted easily. The mvjoin function is a tool that easily accomplishes this.
