https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402639#M116509 <P>Is there a way to use mvexpand on multitple values?<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5263i6DF11B9F8B9770EA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>This is the result of my current search and I want it to look like this below. Note that there will multiple multivalue fields so i cannot use the mvzip or can I?</P> <PRE><CODE>SESSIONID Timstamp Value1 Value2 Value3 1 06/21 1 2 3 1 06/22 2 3 4 </CODE></PRE> Mon, 25 Jun 2018 08:24:01 GMT michaelrosello 2018-06-25T08:24:01Z https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402639#M116509 <P>Is there a way to use mvexpand on multitple values?<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5263i6DF11B9F8B9770EA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>This is the result of my current search and I want it to look like this below. Note that there will multiple multivalue fields so i cannot use the mvzip or can I?</P> <PRE><CODE>SESSIONID Timstamp Value1 Value2 Value3 1 06/21 1 2 3 1 06/22 2 3 4 </CODE></PRE> Mon, 25 Jun 2018 08:24:01 GMT https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402639#M116509 michaelrosello 2018-06-25T08:24:01Z https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402640#M116510 <P>First use <CODE>mvzip</CODE> the multi-values into a new field:</P> <PRE><CODE> | eval total=mvzip(value1, value2) // create multi-value field using value1 and value2 | eval total=mvzip(total, value3) // add the third field </CODE></PRE> <P>Now, Expand the field and restore the values:</P> <PRE><CODE> | mvexpand total // separate multi-value into into separate events | makemv total delim="," // convert the reading into a multi-value | eval value1=mvindex(total, 0) // set value1 to the first value of total | eval value2=mvindex(total, 1) // set value2 to the second value of total | eval value3=mvindex(total, -1) // set value3 to the last value of total </CODE></PRE> Mon, 25 Jun 2018 08:46:53 GMT https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402640#M116510 493669 2018-06-25T08:46:53Z https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402641#M116511 <P>To what extend would such an approach risk mixing up the connection between different 'rows' in the multi valued fields? Can you be sure that the first entry in multi valued field1 corresponds with the first entry in multi valued field2?</P> <P>Might be safer to extract it as 1 field to begin with, then expand and only then split out to the individual fields?</P> Mon, 25 Jun 2018 09:11:07 GMT https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402641#M116511 FrankVl 2018-06-25T09:11:07Z https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402642#M116512 <P>Please check this solution: <A href="https://answers.splunk.com/answers/724138/">https://answers.splunk.com/answers/724138/</A></P> Tue, 09 Apr 2019 10:44:03 GMT https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402642#M116512 madan27 2019-04-09T10:44:03Z https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402643#M116513 <P>Can you close out this question by choosing @493669 answer? </P> Tue, 16 Apr 2019 21:11:45 GMT https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402643#M116513 ryhluc01 2019-04-16T21:11:45Z https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402644#M116514 <P>The -1 @ the end is recapturing the second result instead of the last. To fix this just remove the "-" in the last eval. </P> Tue, 16 Apr 2019 22:10:28 GMT https://community.splunk.com/t5/Splunk-Search/mvexpand-multiple-fields/m-p/402644#M116514 ryhluc01 2019-04-16T22:10:28Z