mvcombine

The mvcombine command groups rows that are identical across all fields except a specified target field, and combines the values of that target field into a multivalue (array) field.

Rows are grouped by all fields currently in the pipeline except the target field. Rows in which the target field is missing or null are excluded from the combined multivalue output.

Syntax

The mvcombine command has the following syntax:

mvcombine <field>

Parameters

The mvcombine command supports the following parameters.

Example 1: Using basic mvcombine

The following query collapses rows into a single row and combines packets_str into a multivalue field:

source=mvcombine_data
| where ip='10.0.0.1' and bytes=100 and tags='t1'
| fields ip, bytes, tags, packets_str
| mvcombine packets_str

The query returns the following results:

Example 2: Combining multiple groups

The following query produces one output row per group key:

source=mvcombine_data
| where bytes=700 and tags='t7'
| fields ip, bytes, tags, packets_str
| sort ip, packets_str
| mvcombine packets_str
| sort ip

The query returns the following results:

Example 3: Missing target field in some rows

Rows missing the target field do not contribute a value to the combined output:

source=mvcombine_data
| where ip='10.0.0.3' and bytes=300 and tags='t3'
| fields ip, bytes, tags, packets_str
| mvcombine packets_str

The query returns the following results:

Example 4: Missing fields

The following query attempts to combine values for a field that does not exist in the current schema:

source=mvcombine_data
| mvcombine does_not_exist

The query returns the following error:

{'reason': 'Invalid Query', 'details': 'Field [does_not_exist] not found.', 'type': 'IllegalArgumentException'}

Related commands

• nomv – Converts a multivalue field into a single-value string
• mvexpand – Expands multivalue fields into separate rows