Splunk® Cloud Services

SPL2 Search Reference

mvexpand command: Overview, syntax, and usage

The SPL2 mvexpand command expands the values in a multivalue field into separate events, one event for each value in the multivalue field.

Use these links to quickly navigate to the main sections in this topic:

How the SPL2 mvexpand command works

The SPL2 mvexpand command creates individual events, or rows, for each value in a multivalue field. For example, the following search results contain the field productId which has multiple values.

ipaddress total_purchases total_products productId
107.3.146.207 72 3 DB-SG-G01

FS-SG-G03
WC-SH-G04

128.241.220.82 95 2 DB-SG-G01

DC-SG-G02

194.215.205.19 60 4 DB-SG-G01

DC-SG-G02
FS-SG-G03
WC-SH-G04

211.166.11.101 91 2 DB-SG-G01

WC-SH-G04

87.194.216.51 134 3 DC-SG-G02

FS-SG-G03
WC-SH-G04

If you add ... | mvexpand productId to your search, a new row is created for each product ID. The multivalued fields are expanded into individual search results. The other fields are unchanged.

The results look something like this:

ipaddress total_purchases total_products productId
107.3.146.207 72 3 DB-SG-G01
107.3.146.207 72 3 FS-SG-G03
107.3.146.207 72 3 WC-SH-G04
128.241.220.82 95 2 DB-SG-G01
128.241.220.82 95 2 DC-SG-G02
194.215.205.19 60 4 DB-SG-G01
194.215.205.19 60 4 DC-SG-G02
194.215.205.19 60 4 FS-SG-G03
194.215.205.19 60 4 WC-SH-G04

Syntax

The required syntax is in bold.

mvexpand
[limit=<int>]
<field>

Required arguments

field
Syntax: <field>
Description: The name of the multivalue field that you want to expand. You can only specify one field to expand.


Optional arguments

limit
Syntax: limit=<int>
Description: Specifies the number of values to expand in the multivalue field array. If there are any remaining values in the array those values are dropped. If omitted limit defaults to 0, which means there is no limit and all values are expanded.
Default: 0

Usage

You can use evaluation functions and statistical functions on multivalue fields or to create multivalue fields.

Differences between SPL and SPL2

The differences between the SPL and SPL2 mvexpand command are described in these sections.

Command options must be specified before command arguments

Version Example
SPL ...mvexpand myfield limit=10
SPL2 ...mvexpand limit=10 myfield

See also

mvexpand command
mvexpand command; Examples
Last modified on 10 April, 2025
lookup command: Examples   mvexpand command: Examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters