Hi guys,
i just want to know the default delimiter for multivalue field in splunk
when i export a table to a csv.file
if the multivalue field is splunk generated , i can see the values are line by line in its csv cell
but if it generated manually , such as the following :
| eval cfxA=cfsnA."///".cfmnA."///".cfszA
| makemv delim="///" cfxA
i can only see the values are all in the same line and delimited by "///"
who can tell me which delimiter could let them displayed line by line , please ?
The delimiters used by makemv etc are instructions on how to take a string and identify multiple values within it. In-memory, there simply multiple string values for the field, without any delimeters.
When we serialize the multivalue fields to csv, typically there are two reprsentations, one representation acts as a hint that there is a multivalue field, and the other representation is newline-delimited. This is true for data passed to a python search command, or when using the |outputcsv
command. I'm not familiar with what you get when using the in-gui "export" feature with multivalue fields.
In the current implementation, the system actually tracks a single-value string and a multi-value set of values for a field that is multivalue, so we may provide the single-value string when exporting even though we will ignore it. (If relevant, this is an implementation wart which will eventually go away.)