https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411487#M118701 <P>I am trying ways to avoid join function. I am combining two different sourcetype for all time duration. </P> <P>since i am using all time i cannot use Join due to slow performance and limation in numbers of rows to join. </P> <P>index=test sourcetype=a or sourcetype=b latest=now<BR /> now lets assume a1 is the field in sourcetype a which is equal to b1 in the sourcetype b and both the sourcetype has over a 2 lakh rows<BR /> my next step is doing a colaese function to link this<BR /> | eval test=coalesce(a1,b1)<BR /> now to make things fast i am doing a stats <BR /> | stats list(a2),list(a3),list(a4),list(a5),list(b1),list(b2) by test<BR /> now my stats will reduce values to 1 lakh, also i am using lust command because some fields in sourcetype a will be tagged to multiple fields in sourcetype6<BR /> somethg like <BR /> a1=b1----&gt; (b1.1,b1.2,b1.3)<BR /> now here since i am having more than 1 lakh rows my mvexpand failes<BR /> i am more concerned about multi value columns with multi value fields<BR /> in other words how to extract indivual rows from a multi value columns multi value row kind of event of a stats command without using mvindex command</P> Wed, 31 Jul 2019 15:34:16 GMT vkrishnachand 2019-07-31T15:34:16Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411483#M118697 <P>I am basically dealing with huge set of records where i am ending in mvexpand memory limit error. I want to extract data from below table without using mvexpand command. <BR /> if you notice the below table i want to extract as separate fields for each column. you can omit sno , because that is just to show that this is a multi value multi column table. This is the output of a stats command. </P> <P>kindly assist </P> <P>sno tasknumber projectidentifier taskstate<BR /> 1 tas123 Null open<BR /> tas456 Null closed<BR /> tas789 Null incomplete<BR /> ritm234 Null null</P> Wed, 31 Jul 2019 10:33:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411483#M118697 vkrishnachand 2019-07-31T10:33:10Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411484#M118698 <P>@vkrishnachand </P> <P>Can you please share your existing search and sample events?</P> Wed, 31 Jul 2019 11:01:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411484#M118698 kamlesh_vaghela 2019-07-31T11:01:37Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411485#M118699 <P>this is a kind of restricted data where i cannot share but i can share you a part of logic which i have used </P> <P>i have used the below spl to extract set of 8 fields from a statistics table shared in teh case . of course in the case i have given only four fields. <BR /> | eval zipped = mvzip(tasknumber , taskstate, "###") <BR /> | eval zipped = mvzip(zipped, taskassignmentgroup, "###")<BR /> | eval zipped = mvzip(zipped, taskcreateddate, "###")<BR /> | eval zipped = mvzip(zipped, taskassigned, "###")<BR /> | eval zipped = mvzip(zipped, taskreassignmentcount, "###")<BR /> | eval zipped = mvzip(zipped, tasklastupdated, "###")<BR /> | eval zipped = mvzip(zipped, taskdescription, "###")<BR /> | eval zipped= mvzip(zipped,projectidentifier, "###")<BR /> | eval zipped= mvzip(zipped,requestservice, "###")<BR /> | mvexpand zipped<BR /> | makemv delim="###" zipped<BR /> | eval finaltasknumber = mvindex(zipped, 0)<BR /> | eval finaltaskstate = mvindex(zipped, 1)<BR /> | eval finaltaskassignmentgroup = mvindex(zipped, 2)<BR /> | eval finaltaskcreateddate = mvindex(zipped, 3)<BR /> | eval finaltaskassigned = mvindex(zipped, 4)<BR /> | eval finaltaskreassignmentcount = mvindex(zipped, 5)<BR /> | eval finaltasklastupdated = mvindex(zipped, 6)<BR /> | eval finaltaskdescription = mvindex(zipped, 7)<BR /> | eval finalrequestservice = mvindex(requestservice, 0)<BR /> | eval finalprojectidentifier = mvindex(projectidentifier, 0)</P> <P>I have to go through this step especially for rows which have multi values. All i need is just skip mvexpand command and go for a different logic , because of bulk data. </P> Wed, 31 Jul 2019 12:20:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411485#M118699 vkrishnachand 2019-07-31T12:20:00Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411486#M118700 <P>What exactly are you trying to accomplish? There may be another solution that does not require such a large multi-value field.<BR /> Sample data may help. Anonymize it, if necessary.</P> Wed, 31 Jul 2019 12:51:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411486#M118700 richgalloway 2019-07-31T12:51:42Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411487#M118701 <P>I am trying ways to avoid join function. I am combining two different sourcetype for all time duration. </P> <P>since i am using all time i cannot use Join due to slow performance and limation in numbers of rows to join. </P> <P>index=test sourcetype=a or sourcetype=b latest=now<BR /> now lets assume a1 is the field in sourcetype a which is equal to b1 in the sourcetype b and both the sourcetype has over a 2 lakh rows<BR /> my next step is doing a colaese function to link this<BR /> | eval test=coalesce(a1,b1)<BR /> now to make things fast i am doing a stats <BR /> | stats list(a2),list(a3),list(a4),list(a5),list(b1),list(b2) by test<BR /> now my stats will reduce values to 1 lakh, also i am using lust command because some fields in sourcetype a will be tagged to multiple fields in sourcetype6<BR /> somethg like <BR /> a1=b1----&gt; (b1.1,b1.2,b1.3)<BR /> now here since i am having more than 1 lakh rows my mvexpand failes<BR /> i am more concerned about multi value columns with multi value fields<BR /> in other words how to extract indivual rows from a multi value columns multi value row kind of event of a stats command without using mvindex command</P> Wed, 31 Jul 2019 15:34:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411487#M118701 vkrishnachand 2019-07-31T15:34:16Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411488#M118702 <P>Your explanation is too confusing. Try putting together a few examples of data rows, with sensitive information removed, along with your desired output.</P> Wed, 31 Jul 2019 16:31:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411488#M118702 jnudell_2 2019-07-31T16:31:19Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411489#M118703 <P>Avoiding <CODE>join</CODE> is good. Using All Time is bad. Are you sure it's necessary?</P> <P>Your comment well explains why you chose the approach you did, but it's still not clear what the end goal is. What is to be learned from the final results?</P> Wed, 31 Jul 2019 18:37:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-rows-without-mvexpand-command/m-p/411489#M118703 richgalloway 2019-07-31T18:37:20Z