https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/604118#M210146 <LI-CODE lang="markup">| eval range=mvrange(0,mvcount(Skills)) | mvexpand range | eval Skills=mvindex(Skills,range) | eval SkillLevel=mvindex(SkillLevel,range) | eval Hours=mvindex(Hours,range) | fields - range</LI-CODE> Fri, 01 Jul 2022 12:24:30 GMT ITWhisperer 2022-07-01T12:24:30Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603556#M210015 <P>Hi!</P><P>I have 3 multivalue fields (max. 3 values per field) and I want to expand/extract them to single values. Data looks like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="timo258_0-1656410219678.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20334i7B85A4C8A95973C1/image-size/medium?v=v2&amp;px=400" role="button" title="timo258_0-1656410219678.png" alt="timo258_0-1656410219678.png" /></span></P><P>When I use | mvexpand Splunk extracts to all skills, all skillLevels with all skill hours:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="timo258_2-1656410912449.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20336iA89B45C8BFC8CD79/image-size/medium?v=v2&amp;px=400" role="button" title="timo258_2-1656410912449.png" alt="timo258_2-1656410912449.png" /></span></P><P>How can I tell splunk to extract only line by line?&nbsp;<BR />Result should look like:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="25px"><STRONG>Skill</STRONG></TD><TD width="33.333333333333336%" height="25px"><STRONG>SkillLevel</STRONG></TD><TD width="33.333333333333336%" height="25px"><STRONG>Hours</STRONG></TD></TR><TR><TD width="33.333333333333336%" height="25px">Hardware-Techniker</TD><TD width="33.333333333333336%" height="25px">3 Advanced</TD><TD width="33.333333333333336%" height="25px">10</TD></TR><TR><TD width="33.333333333333336%" height="25px"><SPAN>Software-Entwickler Sonderprogramme (C, C++)</SPAN></TD><TD width="33.333333333333336%" height="25px">3 Advanced</TD><TD width="33.333333333333336%" height="25px">15</TD></TR></TBODY></TABLE><P><BR />Query: (without | mvexpand)</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| eval Skills = mvappend(customfield_26202_child_value, customfield_26204_child_value, customfield_26205_child_value) | eval SkillLevel = mvappend(customfield_26206_value, customfield_26207_value, customfield_26208_value) | eval Hours = mvappend(customfield_26300, customfield_26301, customfield_26302) | table Skills,SkillLevel,Hours</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Thank you very much!</P> Tue, 28 Jun 2022 10:17:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603556#M210015 timo258 2022-06-28T10:17:45Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603558#M210016 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247151">@timo258</a>&nbsp;,</P><P>&nbsp;</P><P>After the mvexpand you could try:</P><P>&nbsp;</P><PRE>| stats sum(Hours) as Hours_total by Skill SkillLevel<BR />| stats list(Skill) list(SkillLevel) by Hours_total</PRE><P>&nbsp;</P><P>Then use table and/or rename as you need to get the correct order and name of columns.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Jamie</P> Tue, 28 Jun 2022 10:28:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603558#M210016 jamie00171 2022-06-28T10:28:36Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603561#M210017 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247151">@timo258</a>,</P><P>you should see the mvexpand command (<A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Mvexpand" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Mvexpand</A>) and try something like this:</P><LI-CODE lang="markup">index=your_index | mvexpand Skill | stats sum(Hours) AS Hours values(skillLevel) AS skillLevels BY Skill</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 28 Jun 2022 11:00:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603561#M210017 gcusello 2022-06-28T11:00:56Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603566#M210019 <P>Hi Jamie,</P><P>Thank you for your answer!</P><P>The problem with your is, if I do a:&nbsp;</P><PRE>| stats sum(Hours)</PRE><P>Splunk will sum up all hours in that field:&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="timo258_0-1656414887732.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20337iD6BD52832C48D746/image-size/medium?v=v2&amp;px=400" role="button" title="timo258_0-1656414887732.png" alt="timo258_0-1656414887732.png" /></span></P> Tue, 28 Jun 2022 11:16:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603566#M210019 timo258 2022-06-28T11:16:43Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603568#M210020 <P>Hi <SPAN>Giuseppe</SPAN>,</P><P>Thank you for your answer!</P><P>The problem with your solution is, if I do a:&nbsp;</P><PRE>| stats sum(Hours)</PRE><P>Splunk will sum up all hours in that field:&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="timo258_0-1656415147581.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20338iE7A20017ED86A270/image-size/medium?v=v2&amp;px=400" role="button" title="timo258_0-1656415147581.png" alt="timo258_0-1656415147581.png" /></span></P><P>&nbsp;</P> Tue, 28 Jun 2022 11:19:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603568#M210020 timo258 2022-06-28T11:19:41Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603570#M210021 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247151">@timo258</a>,</P><P>the problem is that multivales field are ordered in alphabetical order on the single field, in other words, the first value of the first multivale isn't sure that it's corresponding to the first value of the second field.</P><P>How do you arrived to this multivalues? are they the result of a stats command or are they in the row events?</P><P>in the fist case ,please share the code, in the second, please share some sample of your events.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 28 Jun 2022 11:27:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603570#M210021 gcusello 2022-06-28T11:27:37Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603599#M210027 <P>Hi Giuseppe,</P><P>raw data is a&nbsp; huge json file with events like this: (separated by "key" field)</P><P>&nbsp;</P><LI-CODE lang="markup">{ "customfield_26300" : 10.0, "customfield_26302" : null, "customfield_26301" : 15.0, "customfield_26202" : { "child" : { "value" : "Hardware-Techniker" } }, "customfield_26204" : { "child" : { "value" : "Software-Entwickler Sonderprogramme (C, C++)" } }, "key" : "PBWP-4881", "customfield_26207" : { "value" : "3 Advanced" }, "customfield_26206" : { "value" : "3 Advanced" } }</LI-CODE><P>&nbsp;</P><P>customfield_26202 and&nbsp;customfield_26204 has the same content and I have to merge/append them together.&nbsp; Same for customfield_26027 and 26206 etc.<BR />That is why I did this:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| eval Skills = mvappend(customfield_26202_child_value, customfield_26204_child_value, customfield_26205_child_value) ...</LI-CODE><P>&nbsp;</P><P>I did some tests, Splunk is taking the order from mvappend() function<SPAN>. I think it is not alphabetical.&nbsp;<BR /><BR />Any ideas how I can achieve&nbsp;that:</SPAN></P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="25px"><STRONG>Skill</STRONG></TD><TD width="33.333333333333336%" height="25px"><STRONG>SkillLevel</STRONG></TD><TD width="33.333333333333336%" height="25px"><STRONG>Hours</STRONG></TD></TR><TR><TD width="33.333333333333336%" height="25px">Hardware-Techniker</TD><TD width="33.333333333333336%" height="25px">3 Advanced</TD><TD width="33.333333333333336%" height="25px">10</TD></TR><TR><TD width="33.333333333333336%" height="25px"><SPAN>Software-Entwickler Sonderprogramme (C, C++)</SPAN></TD><TD width="33.333333333333336%" height="25px">3 Advanced</TD><TD width="33.333333333333336%" height="25px">15</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 28 Jun 2022 14:38:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/603599#M210027 timo258 2022-06-28T14:38:43Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/604118#M210146 <LI-CODE lang="markup">| eval range=mvrange(0,mvcount(Skills)) | mvexpand range | eval Skills=mvindex(Skills,range) | eval SkillLevel=mvindex(SkillLevel,range) | eval Hours=mvindex(Hours,range) | fields - range</LI-CODE> Fri, 01 Jul 2022 12:24:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/604118#M210146 ITWhisperer 2022-07-01T12:24:30Z https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/604129#M210150 <P>Works just perfect! Thank you very much!!&nbsp;</P> Fri, 01 Jul 2022 13:40:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-expand-extract-multivalue-fields-line-by-line/m-p/604129#M210150 timo258 2022-07-01T13:40:11Z