mvexpand multiple multi-value fields [MACRO BASED SOLUTION]

dmanojbaba — Fri, 08 Feb 2019 23:40:30 GMT

There are already several Splunk Answers around mvexpand multiple multi-value fields.

https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html
https://answers.splunk.com/answers/123887/how-to-expand-multiple-multivalue-fields.html

Some of them also helped in improving Splunk Docs (Example 3)
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand#Examples

Now, how can it auto-scale horizontally for any number of fields?

Here is a macro based solution for this question.

Macro Name:
my_mvexpand(2)

Usage:
my_mvexpand(2) macro takes two arguments.
First argument is one of the multi-value field, which you would like to expand.
Second argument takes the list of other multi-value fields (comma OR space separated), which you would like to zip & expand along with mvfield in the First argument.

### Syntax:
`my_mvexpand("mv_field_1","mv_field_2,mv_field_3")`                //comma separated second argument
`my_mvexpand("mv_field_1","mv_field_2 mv_field_3 mv_field_4")`  //space separated second argument

### Example 1:
| makeresults 
| eval f1=split("a1,a2,a3",",") 
| eval f2=split("b1,b2,b3",",") 
| eval f3=split("c1,c2,c3",",")
    `my_mvexpand(f1,"f2 f3")`

### Example 2:
| makeresults 
| eval x="another_single_value_field" 
| eval f1=split("a1,a2,a3",",") 
| eval f2=split("b1,b2,b3",",") 
| eval f3=split("c1,c2,c3",",") 
| eval f4=split("d1,d2,d3",",")
    `my_mvexpand("f1","f2,f3,f4")`

Please note, similar to other solutions already answered in Splunk Answers, this macro based solution works only with mvfields of same cardinality (i.e. mvfields having same mvcount)

Feel free to use and enhance 🙂

Re: mvexpand multiple multi-value fields [MACRO BASED SOLUTION]

dmanojbaba — Sat, 09 Feb 2019 08:38:11 GMT

MACRO BASED SOLUTION

Macro Name:
my_mvexpand(2)

Macro Arguments:
first_mv_field,other_mv_fields

Macro Definition:

| fields - _raw 
| eval fields_value=$first_mv_field$, 
    fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") 
| foreach $other_mv_fields$ 
    [ eval fields_value=mvzip(fields_value,'<<FIELD>>') ] 
| mvexpand fields_value 
| eval fields_value=split(fields_value,","),
    fields_list=split(fields_list,",") 
| eval _raw=mvzip(fields_list,fields_value,"_X==") 
| extract pairdelim="\n" kvdelim="==" 
| fields - _raw,fields_list,fields_value 
| rename *_X as *

macros.conf

[my_mvexpand(2)]
args = first_mv_field,other_mv_fields
definition = | fields - _raw \
| eval fields_value=$first_mv_field$, \
    fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") \
| foreach $other_mv_fields$ \
    [ eval fields_value=mvzip(fields_value,'<<FIELD>>') ] \
| mvexpand fields_value \
| eval fields_value=split(fields_value,","),\
    fields_list=split(fields_list,",") \
| eval _raw=mvzip(fields_list,fields_value,"_X==") \
| extract pairdelim="\n" kvdelim="==" \
| fields - _raw,fields_list,fields_value \
| rename *_X as *

topic Re: mvexpand multiple multi-value fields [MACRO BASED SOLUTION] in Splunk Search

mvexpand multiple multi-value fields [MACRO BASED SOLUTION]

Re: mvexpand multiple multi-value fields [MACRO BASED SOLUTION]

MACRO BASED SOLUTION