How can I mvexpand field of the events from summar...

tac24 · ‎01-18-2018

Before adding results into summary index, I can mvexpand a multi-value field as expected; for checking mvexpand search example,

...  |table reason a |stats values(a) as a_list by reason |table reason a_list |collect index=test_index | mvexpand a_list |table  reason a_list | ...

By stats, a_list has multi-value. The first table reason a and the last table reason a_list, though the field names are different (a va a_list), as a whole, the number of results and values are the same as expected.

But, when I tried to mvexpand to the results in the summary index,

index=test_index | table reason a_list |mvexpand a_list

there is no error message, but it can not expand multi-value field.

Questions: Is there any restrictions for mvexpand to be used for events in summary index?
How can I work around this problem?

Thanks.

mayurr98 · ‎01-19-2018

hey you can try something like this

 ...  |stats values(a) as a_list by reason |mvexpand a_list |collect index=test_index

and then try

 index=test_index

I have re-arranged your query by adjusting and removing unnecessary commands!

let me know if this helps!

493669 · ‎01-18-2018

Hi @tac24,
You can try below:

 ...  |table reason a |stats values(a) as a_list by reason| mvexpand a_list |table reason a_list |collect index=test_index  |table  reason a_list | ...

Let me know if it works.

How can I mvexpand field of the events from summary index?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How can I mvexpand field of the events from summary index?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?