Mvexpand

Use the mvexpand function to expand the values in a multivalue field into separate events, one event for each value in the multivalue field.

Function Input: collection<record<R>>; This function takes in collections of records with schema R.
Function Output: collection<record<S>>; This function outputs the same collection of records but with a different schema S.

Arguments

Argument	Input	Description	Example
field	string	The name of the multivalue field that you want to expand. You can only specify one field to expand.	my_mvexpandfield
limit	integer	Specifies the number of values to expand in the multivalue field array. If there are any remaining values in the array those values are dropped. If limit = 0 or null, then the limit is treated as the maximum limit. The limit is capped to 1000 for performance concerns. The results of the mvexpand are stored in the field provided.	10

UI example

Suppose your streaming data has fields a, b, and c. Each field has the following corresponding values:

Field a	Field b	Field c
1	x	V1, V2, V3
2	y	V4, V5

Pass in the c field to the mvexpand function:

Field	Description	Example
Field	This is the name of the multivalue field.	c
Limit	This is the limit you want to set.	0

This example takes each row from the incoming streaming data and then creates a new row with each value in the c field. The other fields will have duplicate values, while the c field will have each value from the multivalue field in a separate row.

Field a	Field b	Field c
1	x	V1
1	x	V2
1	x	V3
2	y	V4
2	y	V5

Full DSL example

mvexpand(events, "multivalue_field", 0);

Related answers from Splunk Community

Mvexpand

Arguments

UI example

Full DSL example

Comments

Mvexpand

Was this topic useful?