https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/635089#M220643 <P>I had indeed resolved it using in the mean time:&nbsp;</P><PRE>| extract pairdelim="," kvdelim="=" clean_keys=t</PRE><P>&nbsp;</P> Mon, 20 Mar 2023 08:09:18 GMT jmartens 2023-03-20T08:09:18Z https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634789#M220534 <P>I am trying to expand multiple fields from specific log lines using mvexpand but for some strange reason some fields are not extracted as expected, see screenshot for an example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmartens_0-1678980355806.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24343iA804E573831F3279/image-size/medium?v=v2&amp;px=400" role="button" title="jmartens_0-1678980355806.png" alt="jmartens_0-1678980355806.png" /></span></P> <P>I would also like to have the key/value pairs for col and gantry.</P> <P>&nbsp;</P> Fri, 17 Mar 2023 16:04:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634789#M220534 jmartens 2023-03-17T16:04:17Z https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634824#M220551 <P>This is not an <FONT face="courier new,courier">mvexpand</FONT> problem because the values field is not a multi-value field.&nbsp; We know it can't be a multi-value field because the <FONT face="courier new,courier">rex</FONT> command does not use the <FONT face="courier new,courier">max_match</FONT> option, which means only the first match of the regex will be extracted.</P><P>The fields that were extracted probably are the result of automatic extraction because they're in key=value format.&nbsp; I can't explain why the col and gantry fields were not extracted.</P><P>What is the end goal of this query?&nbsp; The <FONT face="courier new,courier">mvexpand</FONT> command puts each value of a multi-value field into a new event - is that what is desired?</P> Thu, 16 Mar 2023 20:13:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634824#M220551 richgalloway 2023-03-16T20:13:35Z https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634979#M220591 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;wrote:<BR /><P>We know it can't be a multi-value field because the <FONT face="courier new,courier">rex</FONT> command does not use the <FONT face="courier new,courier">max_match</FONT> option, which means only the first match of the regex will be extracted.</P></BLOCKQUOTE><P>I don't see why the regex here is such a proof. The `rex` is used to extract two named fields, of which the latter contains the values I am after and is assigned to values. I see no reason why `max_match` is even relevant here.</P><BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;wrote:<BR /><P>What is the end goal of this query?&nbsp; The <FONT face="courier new,courier">mvexpand</FONT> command puts each value of a multi-value field into a new event - is that what is desired?</P><HR /></BLOCKQUOTE><P>The end goal is to extract all values (as per column headings from the results in my screenshot) from value field extracted using the regular expression and assigning them to the event so I can process and plot these values.</P> Fri, 17 Mar 2023 19:20:57 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634979#M220591 jmartens 2023-03-17T19:20:57Z https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634981#M220592 <P>The <FONT face="courier new,courier">max_match</FONT> option is relevant because its absence tells me we're not dealing with a mutli-value field and so the <FONT face="courier new,courier">mvexpand</FONT> command is not of use.</P><P>To get each component of the values field into its own field we need to parse it.&nbsp; There is the <FONT face="courier new,courier">extract</FONT> command, but it only works with _raw so we have to jump through some hoops to use it.</P><LI-CODE lang="markup">&lt;&lt;your search to extract the values field&gt;&gt; | eval _raw = values | extract pairdelim=, kvdelim== | table values count max min avg col gantry energy</LI-CODE><P>&nbsp;</P> Fri, 17 Mar 2023 19:53:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/634981#M220592 richgalloway 2023-03-17T19:53:45Z https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/635089#M220643 <P>I had indeed resolved it using in the mean time:&nbsp;</P><PRE>| extract pairdelim="," kvdelim="=" clean_keys=t</PRE><P>&nbsp;</P> Mon, 20 Mar 2023 08:09:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-mvexpand-not-extracting-all-key-value-pairs/m-p/635089#M220643 jmartens 2023-03-20T08:09:18Z