Solved: multivalues in field

ken_t_huang · ‎06-14-2011

I have a data like this:

NUM=001,Rules="Food Water"

NUM=002,Rules="Water Product"

NUM=003,Rules="Water"

NUM=004,Rules="Product"

NUM=005,Rules="Water Product"

and when I pick the field for "Rules", it shows:

rules (categorical)
Top 10 values of rules
Value               #     %
**Water Product     2     40%
Food Water          1     20%
Water               1     20%
Product             1     20%**

how can I show the correct category? like below:

rules (categorical)
Top 10 values of rules
Value       #     %
**Water     4     50%
Product     3     37.5%
Food        1     12.5%**

please kindly help this issue, thanks.

sideview · ‎06-14-2011

This should work to turn the Rules field into a multivalue field.

<your search> | makemv delim=" " Rules

http://www.splunk.com/base/Documentation/latest/SearchReference/makemv

Or you dont want to use the search language to do it, you can read about how to configure the Rules field to automatically become extracted as a multivalued field. http://www.splunk.com/base/Documentation/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

View solution in original post

sideview · ‎06-14-2011

This should work to turn the Rules field into a multivalue field.

<your search> | makemv delim=" " Rules

http://www.splunk.com/base/Documentation/latest/SearchReference/makemv

Or you dont want to use the search language to do it, you can read about how to configure the Rules field to automatically become extracted as a multivalued field. http://www.splunk.com/base/Documentation/4.2.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

ken_t_huang · ‎06-14-2011

hi nick, thanks you answer, I think set configure is better, but I don't know clear about this configure, could you give me an example? thanks

multivalues in field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms