Wednesday, October 17, 2018

Splunk - mvcombine command - convert rows to columns

Hi All,

So, yesterday we got a strange issue that we want to convert columns to rows.

Step 1 - Lets check this splunk search query -
index=* | stats max(bytes) AS max, min(bytes) AS min BY host

Please note on this image that, for same max/min values, we have 3 hosts.


Step 2 - basic mvcombine
so, we can combine these 3 rows to a single row, like this -
the command is "mvcombine" (multivalue combine) -
index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine host



Step 3 - you can use a delimiter 

To see the output of the delim argument, you must use the nomv command immediately after the mvcombine command.

index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine delim="," host | nomv host