What is the default delimiter for multivalue field...

gfs2277 · ‎10-03-2014

Hi guys,

i just want to know the default delimiter for multivalue field in splunk
when i export a table to a csv.file
if the multivalue field is splunk generated , i can see the values are line by line in its csv cell
but if it generated manually , such as the following :

| eval cfxA=cfsnA."///".cfmnA."///".cfszA
| makemv delim="///" cfxA

i can only see the values are all in the same line and delimited by "///"
who can tell me which delimiter could let them displayed line by line , please ?

jrodman · ‎10-04-2014

The delimiters used by makemv etc are instructions on how to take a string and identify multiple values within it. In-memory, there simply multiple string values for the field, without any delimeters.

When we serialize the multivalue fields to csv, typically there are two reprsentations, one representation acts as a hint that there is a multivalue field, and the other representation is newline-delimited. This is true for data passed to a python search command, or when using the |outputcsv command. I'm not familiar with what you get when using the in-gui "export" feature with multivalue fields.

In the current implementation, the system actually tracks a single-value string and a multi-value set of values for a field that is multivalue, so we may provide the single-value string when exporting even though we will ignore it. (If relevant, this is an implementation wart which will eventually go away.)

What is the default delimiter for multivalue fields in Splunk when exporting a table to a CSV file?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms