https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712481#M240341 <LI-CODE lang="markup">| sort 0 _time host</LI-CODE> Tue, 25 Feb 2025 14:23:24 GMT ITWhisperer 2025-02-25T14:23:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712403#M240334 <P>Hi, I have this Splunk SPL:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=EventViewer source="WinEventLog:Application" SourceName=sample | table host Name, Description, Location</LI-CODE><P>&nbsp;</P><P>Name, Description, and Location are all multi value fields that directly corresponds to each other.&nbsp;<BR />Here is the sample for one of the hosts:</P><P>&nbsp;</P><LI-CODE lang="markup">Name Description Location name1 description1 location1 name2 description2 location2 name3 description3 location3 name4 description4 location4</LI-CODE><P>&nbsp;</P><P><BR />What I am trying to do is show each record for each host in a separate row. I cannot use mvexpand becasue there are millions of events and it causes the results to truncated due to the following warn message:</P><P>&nbsp;</P><LI-CODE lang="markup">command.mvexpand: output will be truncated at 35500 results due to excessive memory usage.</LI-CODE><P>&nbsp;</P><P><BR />I cannot do anything with limits.conf to adjust this memory limit so I need an alternative option to display each record in individual rows.&nbsp;</P> Mon, 24 Feb 2025 22:39:00 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712403#M240334 Singh10 2025-02-24T22:39:00Z https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712405#M240335 <P>Try something like this</P><LI-CODE lang="markup">| eval combined=mvzip(name,mvzip(location,description,"|"),"|") | stats count by combined | eval name=mvindex(split(combined,"|"),0) | eval location=mvindex(split(combined,"|"),1) | eval description=mvindex(split(combined,"|"),2)</LI-CODE> Tue, 25 Feb 2025 00:05:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712405#M240335 ITWhisperer 2025-02-25T00:05:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712412#M240339 <BLOCKQUOTE><HR />Name, Description, and Location are all multi value fields that directly corresponds to each other.&nbsp;<BR />Here is the sample for one of the hosts:</BLOCKQUOTE><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Name Description Location name1 description1 location1 name2 description2 location2 name3 description3 location3 name4 description4 location4</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Can you explain how is this sample for ONE of the hosts? &nbsp;Does the above represent one field with five lines, the first line being "Name Description Location"? &nbsp;Or do you mean to say a sample for one of the hosts looks like</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">Name</TD><TD width="33.333333333333336%">Description</TD><TD width="33.333333333333336%">Location</TD></TR><TR><TD width="33.333333333333336%">Name1<BR />Name2<BR />Name3<BR />Name4</TD><TD width="33.333333333333336%">description1<BR />description2<BR />description3<BR />description4</TD><TD width="33.333333333333336%">location1<BR />location2<BR />location3<BR />location4</TD></TR></TBODY></TABLE><P>Or something totally different?</P><P>Also, your SPL snippet doesn't show the mvexpand command that causes the memory error. &nbsp;How are you using mvexpand?</P><P>Additionally, what is the expected output from the sample, after you clarify how the sample actually look like?</P> Tue, 25 Feb 2025 03:39:43 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712412#M240339 yuanliu 2025-02-25T03:39:43Z https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712478#M240340 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, This seems to work.&nbsp; How can I display results where all the names, locations, and descriptions from the same event are displayed together. For example:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="20%">host</TD><TD width="20%">_time</TD><TD width="20%">Name</TD><TD width="20%">Location</TD><TD width="20%">Description</TD></TR><TR><TD width="20%">host1</TD><TD width="20%">9:06</TD><TD width="20%">Name1</TD><TD width="20%">Location1</TD><TD width="20%">Description1</TD></TR><TR><TD width="20%">host1</TD><TD width="20%">9:06</TD><TD width="20%">Name2</TD><TD width="20%">Location2</TD><TD width="20%">Description2</TD></TR><TR><TD width="20%">host2</TD><TD width="20%">8:02</TD><TD width="20%">Name1</TD><TD width="20%">Location1</TD><TD width="20%">Description1</TD></TR><TR><TD width="20%">host2</TD><TD width="20%">8:02</TD><TD width="20%">Name2</TD><TD width="20%">Location2</TD><TD width="20%">Description2</TD></TR></TBODY></TABLE><P>If the event is sent at 9:02 lets say for a specific host. I want to make sure all names, locations, and descriptions are displayed below each other. I hope that makes sense. I would really appreciate your help.&nbsp;</P> Tue, 25 Feb 2025 14:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712478#M240340 Singh10 2025-02-25T14:14:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712481#M240341 <LI-CODE lang="markup">| sort 0 _time host</LI-CODE> Tue, 25 Feb 2025 14:23:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-mvexpand-results-truncated/m-p/712481#M240341 ITWhisperer 2025-02-25T14:23:24Z