topic Re: mvexpand query in Splunk Search

mvexpand query

splunkn — Fri, 13 Mar 2015 13:53:36 GMT

I extracted a multivalued field named universal_ip to extract all IPs (whatever it is source or dest) in all events.

One of my event looks like below
12/Mar/2015:13:38:01 +0000] 11.22.33.44 GET /sdffd/sdfsdfh.sdfsdhhf/sdfhsdfhj

If I run the query like this (index=* | mvexpand universal_ip | table _raw) ,it returns the result twice for each event.
For example the above event found twice in my results.

Could you please clarify why mvexpand command gives the result twice. Here single value is found for multivalue field universal_ip.
Then how it returns twice?

Thanks in advance

Re: mvexpand query

emiller42 — Fri, 13 Mar 2015 14:10:19 GMT

can you clarify your question? I'm not sure what you mean by TIME3 here.

Re: mvexpand query

splunkn — Fri, 13 Mar 2015 14:18:44 GMT

I have edited my question.Could you pls clarify now

Re: mvexpand query

aweitzman — Fri, 13 Mar 2015 14:26:42 GMT

It would be helpful to show how you are doing the extraction. Can you please show us how you are getting universal_ip out of the event?

Re: mvexpand query

somesoni2 — Fri, 13 Mar 2015 14:33:12 GMT

Looks like you have two active field extraction for the field universal_ip. As per your sample event, I see there is only 1 IP address per event, so not sure why/how a multivalued field extraction is used/setup. Can you run following and check how many field extractions you find for this sourcetype of yours

$Splunk_Home/bin/splunk cmd btool props list YourSoureType

Re: mvexpand query

splunkn — Fri, 13 Mar 2015 14:41:17 GMT

Somesoni,

I need to extract this ip field from all sourcetypes. so I have used default stanza.
Also in this sample event there is only one IP. But in some other events we could find more than one IPs

[default]
REPORT-mvuniveralip = mvuniversalip

[mvuniversalip]
REGEX = (?P\d+.\d+.\d+.\d+)
MV_ADD = 1

Re: mvexpand query

splunkn — Fri, 13 Mar 2015 14:44:20 GMT

[default]
REPORT-mvuniveralip = mvuniversalip

[mvuniversalip]
REGEX = (?Pd+.d+.d+.d+)
MV_ADD = 1

Re: mvexpand query

somesoni2 — Fri, 13 Mar 2015 14:47:22 GMT

Can you run following query and tell how many values you get for field universal_ip (basically apply timerange/filter to select just one row mentioned in your sample)

index=* sourcetype=YourSourcetype "More filters" | table _raw, universal_ip | eval count=mvcount(universal_ip)

The count field should match with no of Ips in your _raw event.

Re: mvexpand query

woodcock — Tue, 19 May 2015 18:31:06 GMT

First of all, you use a MV field extraction for events that never contain more than 1 IP. That is your problem; get rid of your MV_ADD line and it will work as you expect.