mvexpand command examples
The following are examples for using the SPL2 mvexpand command.
To learn more about the mvexpand command, see How the SPL2 mvexpand command works.
1. Expand the values in a specific field
Suppose you have the fields a, b, and c. Each field has the following corresponding values:
| a | b | c |
|---|---|---|
| 1 | x | V1, V2, V3 |
| 2 | y | V4, V5 |
You run the mvexpand command and specify the c field.
... | mvexpand c
This example takes each row from the incoming search results and then create a new row with for each value in the c field.The other fields will have duplicate values, while the c field will have each value from the multivalue field in a separate row.
| a | b | c |
|---|---|---|
| 1 | x | V1 |
| 1 | x | V2 |
| 1 | x | V3 |
| 2 | y | V4 |
| 2 | y | V5 |
2. Limit the number of values from the multivalue field to expand
Limit the number of values to expand to 10. Any remaining values are dropped.
... | mvexpand limit=10 my_mvfield
3. Pipeline example
Consider the following raw event data:
| _raw |
|---|
| 9/13/2024 09:00:00 SERVER myserver |
To separate the IP addresses from the _raw field, use the mvexpand command.
$pipeline = from $source
| rex field=_raw max_match=0 /(?P<iplist>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
| mvexpand iplist
| into $destination
The results look like this:
| _raw | iplist |
|---|---|
| 9/13/2024 09:00:00 SERVER myserver |
192.0.2.1 |
| 9/13/2024 09:00:00 SERVER myserver |
192.0.2.2 |
| 9/13/2024 09:00:00 SERVER myserver |
192.0.2.3 |
See also
| mvexpand command usage | rename command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!