All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.
MV Expand
This topic describes how to use the function in the .
Description
Use the mvexpand
function to expand the values in a multivalue field into separate events, one event for each value in the multivalue field.
Function Input/Output
- Function Input
- collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
- collection<record<S>>
- This function outputs the same collection of records but with a different schema S.
Syntax
- mvexpand
- [limit=<int>]
- <field>
Required arguments
- field
- Syntax: <field>
- Description: The name of the multivalue field that you want to expand. You can only specify one field to expand.
Optional arguments
- limit
- Syntax: <int>
- Description: Specifies the number of values to expand in the multivalue field array. If there are any remaining values in the array those values are dropped. If omitted
limit
defaults to 0, which means there is no limit and all values are expanded. - Example in Canvas View: 5
Usage
Suppose your streaming data has fields a, b, and c. Each field has the following corresponding values:
Field a | Field b | Field c |
---|---|---|
1 | x | V1, V2, V3 |
2 | y | V4, V5 |
Pass in the c
field to the mvexpand
function:
Field | Description | Example |
---|---|---|
Field | This is the name of the multivalue field. | c |
Limit | This is the limit you want to set. | 0 |
This example takes each row from the incoming streaming data and then creates a new row with each value in the c field. The other fields will have duplicate values, while the c field will have each value from the multivalue field in a separate row.
Field a | Field b | Field c |
---|---|---|
1 | x | V1 |
1 | x | V2 |
1 | x | V3 |
2 | y | V4 |
2 | y | V5 |
SPL2 example
Examples of common use cases follow. The following examples in this section assume that you are in the SPL View.
When working in the SPL View you can write the function by providing the arguments in the exact order shown in each use case.
Create a new record for each value of the multivalue field, "foo".
... | mvexpand foo |...
Limit the number of values from the multivalue field to expand
Create new records for the first 5 values of multivalue field, "foo". Any remaining values are dropped.
...| mvexpand limit=5 foo |...
Merge Events | Rex |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0, 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Feedback submitted, thanks!