https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648642#M16681 <TABLE border="0" width="192" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="36">ID</TD><TD width="64">curr_row</TD><TD width="64">comparison_result</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">Turn on</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">Turn on</TD><TD width="64">not equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">7656</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">7690</TD><TD width="64">not equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">8783</TD><TD width="64">equal</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>For the above table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on" without using mvexpand command. I have tried with mvexpand query, memory issue was there.</SPAN></P><P>&nbsp;</P><P><SPAN>Mvexpand query:</SPAN></P><P>&nbsp;</P><PRE>| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null()) | mvexpand row | eval curr_row=if(row==0,"Turn on",curr_row) | fields - row</PRE> Thu, 29 Jun 2023 14:51:02 GMT Kirthika 2023-06-29T14:51:02Z https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648642#M16681 <TABLE border="0" width="192" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="36">ID</TD><TD width="64">curr_row</TD><TD width="64">comparison_result</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">Turn on</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">19</TD><TD width="64">1245</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">Turn on</TD><TD width="64">not equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">7656</TD><TD width="64">equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">7690</TD><TD width="64">not equal</TD></TR><TR><TD width="64" height="20">20</TD><TD width="64">8783</TD><TD width="64">equal</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>For the above table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on" without using mvexpand command. I have tried with mvexpand query, memory issue was there.</SPAN></P><P>&nbsp;</P><P><SPAN>Mvexpand query:</SPAN></P><P>&nbsp;</P><PRE>| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null()) | mvexpand row | eval curr_row=if(row==0,"Turn on",curr_row) | fields - row</PRE> Thu, 29 Jun 2023 14:51:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648642#M16681 Kirthika 2023-06-29T14:51:02Z https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648739#M16696 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254923">@Kirthika</a>&nbsp;</P><P>stats command will give you better performance over mvexpand and memory limitation issues.&nbsp; Please check below sample search and try to design your search as per requirement.&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="ID curr_row comparison_result 19 Turn on equal 19 1245 equal 19 1245 equal 19 1245 equal 19 1245 equal 19 1245 equal 19 1245 equal 20 Turn on not equal 20 7656 equal 20 7690 not equal 20 8783 equal" | multikv forceheader=1 | table ID curr_row comparison_result | rename comment as "Upto now is data generation logic only" | eval a=1 | accum a | eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2)," ") | stats c by a ID curr_row comparison_result row | sort a | eval curr_row=if(row==0,"Turn on",curr_row) | table ID curr_row comparison_result</LI-CODE><P>&nbsp;</P><P>I hope this will help you.</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P><P>&nbsp;</P> Fri, 30 Jun 2023 05:54:27 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648739#M16696 kamlesh_vaghela 2023-06-30T05:54:27Z https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648740#M16697 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;. It works as expected</P> Fri, 30 Jun 2023 06:07:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648740#M16697 Kirthika 2023-06-30T06:07:21Z https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648741#M16698 <P>Glad to help you&nbsp;&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254923">@Kirthika</a>&nbsp;</P><P><STRONG>Happy Splunking</STRONG></P><P>&nbsp;</P> Fri, 30 Jun 2023 06:09:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multivalue-field-problem-Is-there-any-way-to-use-without-quot/m-p/648741#M16698 kamlesh_vaghela 2023-06-30T06:09:15Z