mvexpand command overview
The SPL2 mvexpand command expands the values in a multivalue field into separate events, one event for each value in the multivalue field.
Syntax
The required syntax is in bold.
- mvexpand
- [limit=<int>]
- <field>
How the SPL2 mvexpand command works
The SPL2 mvexpand command creates individual events, or rows, for each value in a multivalue field. For example, the following search results contain the field productId which has multiple values.
| ipaddress | total_purchases | total_products | productId |
|---|---|---|---|
| 107.3.146.207 | 72 | 3 | DB-SG-G01 FS-SG-G03 |
| 128.241.220.82 | 95 | 2 | DB-SG-G01 DC-SG-G02 |
| 194.215.205.19 | 60 | 4 | DB-SG-G01 DC-SG-G02 |
| 211.166.11.101 | 91 | 2 | DB-SG-G01 WC-SH-G04 |
| 87.194.216.51 | 134 | 3 | DC-SG-G02 FS-SG-G03 |
If you add ... | mvexpand productId to your search, a new row is created for each product ID. The multivalued fields are expanded into individual search results. The other fields are unchanged.
The results look something like this:
| ipaddress | total_purchases | total_products | productId |
|---|---|---|---|
| 107.3.146.207 | 72 | 3 | DB-SG-G01 |
| 107.3.146.207 | 72 | 3 | FS-SG-G03 |
| 107.3.146.207 | 72 | 3 | WC-SH-G04 |
| 128.241.220.82 | 95 | 2 | DB-SG-G01 |
| 128.241.220.82 | 95 | 2 | DC-SG-G02 |
| 194.215.205.19 | 60 | 4 | DB-SG-G01 |
| 194.215.205.19 | 60 | 4 | DC-SG-G02 |
| 194.215.205.19 | 60 | 4 | FS-SG-G03 |
| 194.215.205.19 | 60 | 4 | WC-SH-G04 |
See also
| lookup command examples | mvexpand command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!