Splunk® Cloud Services

SPL2 Search Reference

mvexpand command overview

The SPL2 mvexpand command expands the values in a multivalue field into separate events, one event for each value in the multivalue field.


The required syntax is in bold.


How the SPL2 mvexpand command works

The SPL2 mvexpand command creates individual events, or rows, for each value in a multivalue field. For example, the following search results contain the field productId which has multiple values.

ipaddress total_purchases total_products productId 72 3 DB-SG-G01

WC-SH-G04 95 2 DB-SG-G01

DC-SG-G02 60 4 DB-SG-G01

WC-SH-G04 91 2 DB-SG-G01

WC-SH-G04 134 3 DC-SG-G02


If you add ... | mvexpand productId to your search, a new row is created for each product ID. The multivalued fields are expanded into individual search results. The other fields are unchanged.

The results look something like this:

ipaddress total_purchases total_products productId 72 3 DB-SG-G01 72 3 FS-SG-G03 72 3 WC-SH-G04 95 2 DB-SG-G01 95 2 DC-SG-G02 60 4 DB-SG-G01 60 4 DC-SG-G02 60 4 FS-SG-G03 60 4 WC-SH-G04

See also

mvexpand command
mvexpand command syntax details
mvexpand command usage
mvexpand command examples
Last modified on 31 January, 2024
lookup command examples   mvexpand command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters