In this blog we are going to explore types of mvcommands in splunk. In Splunk we start with ingesting data and further that data will lead to create Dashboards, Alerts and Reports which is useful to create insights from that data.
Data can be of any type or format some has duplicate values, single field associated with many values. How to deal with this kind of data? Here, mvcommands comes into picture. MVCOMMANDS helps us to deal with multivalue fields.
Which has power of creating a multivalues fields for data or deduping the multivalue fields. We often see in Relational database we have more value to a field there we have a process called Normalization, It helps to form multivalues fields of a data in Single value format.
As Splunk is not same as Relational Database, here we have multivalue commands to deal with those data.
Example – creating a lookup data we can assign multi value fields to a single field.
Taking movies data into consideration. A Single movie has multiple Genres (Thriller, Action etc..)
Here mvcommand takes the part in Splunk.
Further we will get to know more about mvcommands along with their examples.
1 – MAKEMV(makemv)
Above example we have create a field which has values 1,2,3,4,5. Here we can create this field values in multivalues form using makemv command
Here makemv has a parameter called delim where we can give the delimeter which the field value should be separated and the field name which need to create multivalues in singke values form.
2 – MVCOMBINE(mvcombine)
Mvcombine normalize a multivalues fields to a single one.
It is very useful command when you have multiple field values which are same but some of the values are only different.
In above example | makeresults count=5 create 5 rows, streamstats command create values in increment order i.e. 1,2,3,4,5 and field1 and field2 values is been repeating due to count=5 command.
Here mvcombine combines the values to a single event on field counter because it has non duplicate values.
3 – NOMV(nomv)
Nomv command works opposite to makemv, it creates the field values to multivalue fields
In above example we have added delim=”,” to mvcmbine by using nomv it creates multivalues field values by adding “,” to them.
4 – MVEXPAND(mvexpand)
Mvexpand command is used to normalize the multivalues field to new events associating with single field value. It is opposite of the mvcombine.
Here it revert back the changes of mvcombine.
5 – MVAPPEND(mvappend)
It takes arbitrary arguments which can be fieldname, fieldvalues,strings anything and output multivalues fields of it, in this example new field details is created and all field values gets appended to it.
6 – MVCOUNT(mvcount)
It takes mvfield as arguments and gives the count of the multivalues field has.if Details field have 5 values total_length field is 5.
7 – MVDEDUP(mvdedup)
It takes arguments as mvfield and remove duplicate values from that and give a new field.
8 – MVFILTER(mvfilter)
mvfilter() gives the result based on certain conditions applied on it.In this example we want ony matching values from Names field so we gave a condition and it is outputted in filter_Names field.We can also use REGEX expressions to extract values from fields.
9 – MVFIND( mvfind)
It is use to find index number of the field value, It takes mvfield and (regex or exact value) as a argument and give index of that matching field value.
10 – mvindex(MVFIELD, STARTINDEX, ENDINDEX)
It takes 3 arguments mvfield, startindex from where we want to find value and end index where up to, it gives the values by start and end index we defined as arguments.
11 – mvjoin(MVFIELD, STR)
It takes 2 arguments, mvfield and string, basically it makes multi value fields to single value field but by also adding a particular string to it.
12 – mvrange(,,)
mvragne can be used for getting ranges as mentioned in example below
Example.1
Example. 2
13 – mvsort()
mvsort sorts elements of fields in lexicographical order
14 – mvzip(,(),)
mvzip combines two fields and can put separator between elements of two fields as shown in example below:
15 – Split(,”delimiter”)
Split can be used for splitting elements of multivalued fields based on delimiter in the fields
If you are still facing an issue regarding types of mvcommands in splunk, Feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks. Happy Splunking 😉
