Related Answers
Download topic as PDF
mvexpand
Description
Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. For each result, the mvexpand command creates a new result for every multivalue field.
Syntax
mvexpand <field> [limit=<int>]
Required arguments
- field
- Syntax: <field>
- Description: The name of a multivalue field.
Optional arguments
- limit
- Syntax: limit=<int>
- Description: Specify the number of values of <field> to use for each input event.
- Default: 0, or no limit
Usage
There evaluation functions and statistical functions that you can use on multivalue fields or to return multivalue fields.
Limits
A limit exists on the amount of RAM that the mvexpand command is permitted to use while expanding a batch of results. By default the limit is 200MB. The input chunk of results is typically maxresults or smaller in size, and the expansion of all these results resides in memory at one time. The total necessary memory is the average result size multiplied by the number of results in the chunk multiplied by the average size of the multivalue field being expanded.
If this attempt exceeds the configured maximum on any chunk, the chunk is truncated and a warning message is emitted. If you have Splunk Enterprise, you can adjust the limit by editing the max_mem_usage_mb setting in limits.conf. If you have Splunk Cloud and encounter problems because of this limit, file a Support ticket.
Examples
Example 1:
Create new events for each value of multivalue field, "foo".
... | mvexpand foo
Example 2:
Create new events for the first 100 values of multivalue field, "foo".
... | mvexpand foo limit=100
Example 3:
The mvexpand command only works on one multivalue field. This example walks through how to expand an event with more than one multivalue field into individual events for each field value. For example, given these events, with sourcetype=data:
2012-10-01 00:11:23 a=22 b=21 a=23 b=32 a=51 b=24 2012-10-01 00:11:22 a=1 b=2 a=2 b=3 a=5 b=2
First, use the rex command to extract the field values for a and b. Then use the eval command and mvzip function to create a new field from the values of a and b.
sourcetype=data | rex field=_raw "a=(?<a>\d+)" max_match=5 | rex field=_raw "b=(?<b>\d+)" max_match=5 | eval fields = mvzip(a,b) | table _time fields
Use the mvexpand command and the rex command on the new field, fields, to create new events and extract the fields alpha and beta:
sourcetype=data | rex field=_raw "a=(?<a>\d+)" max_match=5 | rex field=_raw "b=(?<b>\d+)" max_match=5 | eval fields = mvzip(a,b) | mvexpand fields | rex field=fields "(?<alpha>\d+),(?<beta>\d+)" | table _time alpha beta
Use the table command to display only the _time, alpha, and beta fields in a results table:
(Thanks to Splunk user Duncan for this example. You can see another version of this with JSON data and the spath command.)
See also
Commands:
makemv
mvcombine
nomv
Functions:
Multivalue eval functions
Multivalue stats and chart functions
split
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the mvexpand command.
|
PREVIOUS mvcombine |
NEXT nomv |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!