Knowledge Management

How can I mvexpand field of the events from summary index?

tac24
New Member

Before adding results into summary index, I can mvexpand a multi-value field as expected; for checking mvexpand search example,

...  |table reason a |stats values(a) as a_list by reason |table reason a_list |collect index=test_index | mvexpand a_list |table  reason a_list | ...

By stats, a_list has multi-value. The first table reason a and the last table reason a_list, though the field names are different (a va a_list), as a whole, the number of results and values are the same as expected.

But, when I tried to mvexpand to the results in the summary index,

index=test_index | table reason a_list |mvexpand a_list 

there is no error message, but it can not expand multi-value field.

Questions: Is there any restrictions for mvexpand to be used for events in summary index?
How can I work around this problem?

Thanks.

0 Karma

mayurr98
Super Champion

hey you can try something like this

 ...  |stats values(a) as a_list by reason |mvexpand a_list |collect index=test_index 

and then try

 index=test_index 

I have re-arranged your query by adjusting and removing unnecessary commands!

let me know if this helps!

0 Karma

493669
Super Champion

Hi @tac24,
You can try below:

 ...  |table reason a |stats values(a) as a_list by reason| mvexpand a_list |table reason a_list |collect index=test_index  |table  reason a_list | ...

Let me know if it works.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...