What is the default delimiter for multivalue field...

gfs2277 · ‎10-03-2014

Hi guys,

i just want to know the default delimiter for multivalue field in splunk
when i export a table to a csv.file
if the multivalue field is splunk generated , i can see the values are line by line in its csv cell
but if it generated manually , such as the following :

| eval cfxA=cfsnA."///".cfmnA."///".cfszA
| makemv delim="///" cfxA

i can only see the values are all in the same line and delimited by "///"
who can tell me which delimiter could let them displayed line by line , please ?

jrodman · ‎10-04-2014

The delimiters used by makemv etc are instructions on how to take a string and identify multiple values within it. In-memory, there simply multiple string values for the field, without any delimeters.

When we serialize the multivalue fields to csv, typically there are two reprsentations, one representation acts as a hint that there is a multivalue field, and the other representation is newline-delimited. This is true for data passed to a python search command, or when using the |outputcsv command. I'm not familiar with what you get when using the in-gui "export" feature with multivalue fields.

In the current implementation, the system actually tracks a single-value string and a multi-value set of values for a field that is multivalue, so we may provide the single-value string when exporting even though we will ignore it. (If relevant, this is an implementation wart which will eventually go away.)

What is the default delimiter for multivalue fields in Splunk when exporting a table to a CSV file?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases