https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378681#M110998 <P>Only you have two fields that need expand so you need to combine them into one field first.</P> <P>| inputlookup ...<BR /> | eval a=mvzip(field1,field2)<BR /> | makemv a<BR /> | mvexpand a<BR /> | eval b=mvindex(a,0)<BR /> | eval c=mvindex(a,1)<BR /> | table b c</P> Thu, 20 Dec 2018 13:21:48 GMT jkat54 2018-12-20T13:21:48Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378677#M110994 <P>I have a query where I'm using mvexpand and mvdedup commands to extract some records and calculate related values. But unfortunately both the commands are not working properly. Below is the example what I'm getting. Can anybody please help me understand what's going wrong.</P> <P>Query:</P> <PRE><CODE>| inputlookup cee_dlp_base_report.csv | table _time, User_Name, Detail_File_Size_MB | mvexpand Detail_File_Size_MB | eval User_Name = mvdedup(User_Name) </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6303iE408AFB7E3AA86BC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6304iD9EDEA3119B7C7A0/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 20 Dec 2018 11:35:58 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378677#M110994 rajim 2018-12-20T11:35:58Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378678#M110995 <P>@rajim </P> <P>Both <CODE>User_Name</CODE> &amp; <CODE>Detail_File_Size_MB</CODE> multivalued fields? And what is the relation between them. If there is a relation then can you please try below search for work around?</P> <PRE><CODE>| inputlookup cee_dlp_base_report.csv | eval temp=mvzip(User_Name, Detail_File_Size_MB) | mvexpand temp | eval User_Name = mvindex(split(temp,","),0), Detail_File_Size_MB = mvindex(split(temp,","),1) | table _time, User_Name, Detail_File_Size_MB </CODE></PRE> <P>For further analysis, can you please share sample data from lookup file?</P> Thu, 20 Dec 2018 12:05:17 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378678#M110995 kamlesh_vaghela 2018-12-20T12:05:17Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378679#M110996 <P>Looks like those fields are not actually multi valued. When you hover over them with your mousepointer, do you get highlights for the individual lines, or just for the whole event row together?</P> Thu, 20 Dec 2018 12:28:51 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378679#M110996 FrankVl 2018-12-20T12:28:51Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378680#M110997 <P>You need to add a ‘|makemv fieldName’</P> Thu, 20 Dec 2018 13:16:21 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378680#M110997 jkat54 2018-12-20T13:16:21Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378681#M110998 <P>Only you have two fields that need expand so you need to combine them into one field first.</P> <P>| inputlookup ...<BR /> | eval a=mvzip(field1,field2)<BR /> | makemv a<BR /> | mvexpand a<BR /> | eval b=mvindex(a,0)<BR /> | eval c=mvindex(a,1)<BR /> | table b c</P> Thu, 20 Dec 2018 13:21:48 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378681#M110998 jkat54 2018-12-20T13:21:48Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378682#M110999 <P>yes you are right. Whenever we are writing the multivalued fields into a csv file, the fields are converting into single value with all multivalued grouped. That's why mvdedup and mvexpand is not working. Thank you for pointing this.</P> Thu, 20 Dec 2018 14:46:24 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378682#M110999 rajim 2018-12-20T14:46:24Z https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378683#M111000 <P>No this is not helpful, as described below. Anyway thank you for your answer. </P> Thu, 20 Dec 2018 14:47:07 GMT https://community.splunk.com/t5/Splunk-Search/How-come-I-can-t-get-mvdedup-and-mvexpand-commands-to-work/m-p/378683#M111000 rajim 2018-12-20T14:47:07Z