mvexpand command: Examples
The following are examples for using the SPL2 mvexpand command.
To learn more about the mvexpand command, see How the SPL2 mvexpand command works.
1. Expand the values in a specific field
Suppose you have the fields a, b, and c. Each field has the following corresponding values:
| a | b | c |
|---|---|---|
| 1 | x | V1, V2, V3 |
| 2 | y | V4, V5 |
You run the mvexpand command and specify the c field.
... | mvexpand c
This example takes each row from the incoming search results and then create a new row with for each value in the c field.The other fields will have duplicate values, while the c field will have each value from the multivalue field in a separate row.
| a | b | c |
|---|---|---|
| 1 | x | V1 |
| 1 | x | V2 |
| 1 | x | V3 |
| 2 | y | V4 |
| 2 | y | V5 |
2. Limit the number of values from the multivalue field to expand
Limit the number of values to expand to 10. Any remaining values are dropped.
... | mvexpand limit=10 my_mvfield
3. Pipeline example
Consider the following raw event data:
| _raw |
|---|
| 9/13/2024 09:00:00 SERVER myserver |
To separate the IP addresses from the _raw field, use the mvexpand command.
$pipeline = from $source
| rex field=_raw max_match=0 /(?P<iplist>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
| mvexpand iplist
| into $destination
The results look like this:
| _raw | iplist |
|---|---|
| 9/13/2024 09:00:00 SERVER myserver |
192.0.2.1 |
| 9/13/2024 09:00:00 SERVER myserver |
192.0.2.2 |
| 9/13/2024 09:00:00 SERVER myserver |
192.0.2.3 |
See also
- mvexpand command
- mvexpand command: Overview, syntax, and usage
| mvexpand command: Overview, syntax, and usage | rename command: Overview, syntax, and usage |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!