Splunk Search

Makemv example not working

blurblebot
Communicator

In trying to use makemv, which seems incredibly simple, I've been ingesting multiple iterations of a single event with multiple values per the single key to get a working example of my own. I've had to regress down to what I thought would be the simplest possible data sample, but with still no success.

My data is:

direction=up, down, left, right

That's it. I can call that event up with it's manually-labeled sourcetype (sample009), and it appears correctly. However, makemv does nothing to it.

my search:

sourcetype=sample009 | makemv delim=", " direction | stats count(direction)

yields a one-row table, where I'd have expected a four-row table.

Next,

sourcetype=sample009 | makemv delim=", " direction

yields 1 value for direction (up). I would have expected 4 values.

I don't think it's possible to make a much simpler set of data to experiment with, so am I fundamentally misunderstanding something, or is this a bug? Maybe I have some funky precedence issue?

Tags (1)
0 Karma

acdevlin
Communicator

I'm having trouble replicating your issue. In my own data, I have a field called "other" which looks similar to this:

"204.2.223.84, 204.2.223.84, 72.163.4.153" 50496/0

My query to split it was the following:

sourcetype="access_combined" | makemv delim="," other | top other

The results were as follows:

alt text

So makemv DID successfully split up the field, albiet with a few weird formatting issues that could probably be fixed if I were willing to spend the time on it. The point remains: I'm not seeing the problem that you are having on my end, for whatever reason.

Given the (seemingly) finnicky nature of makemv, I would thus recommend seeking alternatives to makemv. As one example, it looks like you can fiddle with fields.conf to extract direction as a multivalue field (see http://docs.splunk.com/Documentation/Splunk/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields).

If you absolutely must have makemv in your query, I apologize but it seems to be working properly on my end and I have no clue as to where your problem lies.

blurblebot
Communicator

confs it is. thank you

0 Karma

acdevlin
Communicator

Huh...I would not have guessed that the quotes mattered. Good find!

The only alternative I can think of for not using quotes at the moment is - again - to avoid using makemv. I guess if the effort of changing your .conf files correctly is less than the effort of retrofitting those data sources, it might be something to consider.

blurblebot
Communicator

How can we get past having to enclose all of our multivalue values in quotes, or is that just par for the course? It wouldn't be a big deal if it didn't mean having to retrofit all of our data sources to include quotes around multivalue values, but it does.

0 Karma

blurblebot
Communicator

acdevlin - Thanks for your example. There is a key difference between your sample data and ours, however: quotes.

In all of my examples, none of my individual values (or groups of values) are enclosed with quotes, but your example data is. We've tried enclosing the multiple values of a fresh data sample in quotes, and that has made a big difference. It works.

...

bwooden
Splunk Employee
Splunk Employee

You've taken good steps in isolating the variable and trying a few different techniques. The difficulty you're experiencing may be related to 'events' vs 'results'. In the search app, you can switch between the event view, the event table, and the results table. Most searches pick the best view to use automatically.

If you would just like to just see 4 results you could split by direction:

sourcetype=sample009 | makemv delim=", " direction | stats count by direction

To see 4 events you could invoke the mvexpand command:

sourcetype=sample009 | makemv delim=", " direction | mvexpand direction

yasaracar
Explorer

I had the same problem, I could find makemv delim="," solution everywhere, but mvexpand was really helpful for the solution.
Thanks a lot

0 Karma

landen99
Motivator

Your code matches values on "," or " " (space) and yield null values which require that you add the option allowempty=t
That is my theory.

0 Karma

RVDowning
Contributor

I've been pulling my hair out over this. At least now I understand why I haven't been getting my use of makemv to work. They need to fix this. I'm on 4.3 and it still doesn't work.

0 Karma

blurblebot
Communicator

crickets....

0 Karma

blurblebot
Communicator

My point is that none of these, your examples included, create 4 of anything. (except tears)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...