USAGE OF SPLUNK COMMANDS : MVCOMBINE

USAGE OF SPLUNK COMMANDS: MVCOMBINE                          

Hi Guys!!!!
Today we have come with another new command i.e. mvcombine.

Definition:
mvcombine”  command is used to create a multivalue field from a single value field.

Syntax of mvcombine command:
mvcombine <field>

<field>: The name of a field, from which you want to generate a multivalue field.

Example: 1
First, we will show you the data on which we will use the “mvcombine” command. Please, see the below query,

index=test_index
| table name
| dedup name

Explanation:
Here, we are using the “test_index” index, where we have our sample data. Then, using the “table” and “dedup” commands we are showing the unique values of the “name” field in tabular form.

As, you can see in the above image, that “name” is a single value field.
Now, if you want this single value field “name” to appear as a multivalue field, we will use “mvcombine” command.
Please, see the below query,

index=test_index
| table name
| dedup name
| mvcombine name

Explanation:
Here, we have used “| mvcombine name”, As a result, we can see in the above image the “name” field has become a multivalue field now.

You can also know about :  USAGE OF SPLUNK COMMANDS: SAVEDSEARCH

Example: 2
First, let’s see the data for this example. Please see the below query,

index=test_index
| table name,age
| dedup name,age

Explanation:
Here, we are using the “test_index” index, where we have our sample data. Then, using the “table” and “dedup” command we are showing the unique combination of values of the “name” and “age” fields in tabular form.
Now, if you will see the above image properly, you will see that,
For, the “name” field values “Rehan” and “Ayush”, the value of the “age” field is the same i.e. “34”.
And, also for, the “name” field values “Neha” and “Mohan”, the value of the “age” field is the same i.e. “22”.
And, the “name” field values “Shilpa” and “Palash” have unique “age” field values i.e. “29” and “19” respectively.
Now, in this case, if you want to make the “name” field multivalue, what will be the result, let’s see that. Please, see the below query,

index=test_index
| table name,age
| dedup name,age
| mvcombine name

Explanation:
Here, we have used “| mvcombine name”.
Now, as the “name” field values “Rehan” and “Ayush” have the same “age” field value i.e. “34”, that’s why they are grouped together created a multivalue row inside the name field.
Also, as the “name” field values “Neha” and “Mohan” have the same “age” field value i.e. “22”, that’s why they have together created a multivalue row inside the name field.
But, as the “name” field values “Shilpa” and “Palash” have unique “age” field values i.e. “29” and “19” respectively, they are still single value row.

You can also know about :  Usage Of IN Function With Where Command

Happy Splunking !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.