USAGE OF SPLUNK COMMANDS: MVCOMBINE
Hi Guys!!!!
Today we have come with another new command i.e. mvcombine.
Definition:
“mvcombine” command is used to create a multivalue field from a single value field.
Syntax of mvcombine command:
mvcombine <field>
<field>: The name of a field, from which you want to generate a multivalue field.
Example: 1
First, we will show you the data on which we will use the “mvcombine” command. Please, see the below query,
index=test_index | table name | dedup name
Explanation:
Here, we are using the “test_index” index, where we have our sample data. Then, using the “table” and “dedup” commands we are showing the unique values of the “name” field in tabular form.
As, you can see in the above image, that “name” is a single value field.
Now, if you want this single value field “name” to appear as a multivalue field, we will use “mvcombine” command.
Please, see the below query,
index=test_index | table name | dedup name | mvcombine name
Explanation:
Here, we have used “| mvcombine name”, As a result, we can see in the above image the “name” field has become a multivalue field now.
Example: 2
First, let’s see the data for this example. Please see the below query,
index=test_index | table name,age | dedup name,age
Explanation:
Here, we are using the “test_index” index, where we have our sample data. Then, using the “table” and “dedup” command we are showing the unique combination of values of the “name” and “age” fields in tabular form.
Now, if you will see the above image properly, you will see that,
For, the “name” field values “Rehan” and “Ayush”, the value of the “age” field is the same i.e. “34”.
And, also for, the “name” field values “Neha” and “Mohan”, the value of the “age” field is the same i.e. “22”.
And, the “name” field values “Shilpa” and “Palash” have unique “age” field values i.e. “29” and “19” respectively.
Now, in this case, if you want to make the “name” field multivalue, what will be the result, let’s see that. Please, see the below query,
index=test_index | table name,age | dedup name,age | mvcombine name
Explanation:
Here, we have used “| mvcombine name”.
Now, as the “name” field values “Rehan” and “Ayush” have the same “age” field value i.e. “34”, that’s why they are grouped together created a multivalue row inside the name field.
Also, as the “name” field values “Neha” and “Mohan” have the same “age” field value i.e. “22”, that’s why they have together created a multivalue row inside the name field.
But, as the “name” field values “Shilpa” and “Palash” have unique “age” field values i.e. “29” and “19” respectively, they are still single value row.
Happy Splunking !!