Related Answers
Download topic as PDF
mvexpand command examples
The following are examples for using the SPL2 mvexpand command.
To learn more about the mvexpand command, see How the mvexpand command works.
1. Expand the values in a specific field
Suppose you have the fields a, b, and c. Each field has the following corresponding values:
| a | b | c |
|---|---|---|
| 1 | x | V1, V2, V3 |
| 2 | y | V4, V5 |
You run the mvexpand command and specify the c field.
... | mvexpand c
This example takes each row from the incoming search results and then create a new row with for each value in the c field.The other fields will have duplicate values, while the c field will have each value from the multivalue field in a separate row.
| a | b | c |
|---|---|---|
| 1 | x | V1 |
| 1 | x | V2 |
| 1 | x | V3 |
| 2 | y | V4 |
| 2 | y | V5 |
2. Limit the number of values from the multivalue field to expand
Limit the number of values to expand to 10. Any remaining values are dropped.
... | mvexpand limit=10 my_mvfield
See also
|
PREVIOUS mvexpand command usage |
NEXT rename command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!