Splunk Search

How can I use mvexpand and mvcombine such that they don't crush other multivalued fields too?

sideview
SplunkTrust
SplunkTrust

I have a situation where I have two multi-valued fields in my data, and i want to call mvexpand on ONE of the fields and leave the second field multi-valued.
Unfortunately mvexpand seems to fall down here. It correctly expands out my first field but it at the same time flattens my other multivalued value. (For the record mvcombine has the same problem)

Here's a simple but completely artificial scenario to reproduce:

| stats count | eval field1="foo-bar-baz" | eval field2="fred-mildred" | makemv field1 delim="-" | makemv field2 delim="-"

That gives me one row, and 'field1' has 3 values and 'field2' has 2 values. Now tack on an mvexpand:

| stats count | eval field1="foo-bar-baz" | eval field2="fred-mildred" | makemv field1 delim="-" | makemv field2 delim="-" | mvexpand field1

I should have 3 rows now, and each of the rows should still have the multivalued value for field2. However it throws away the multivalued values and mysteriously falls back to the original string value.....

Is there any way around this problem?

Ultimately what this is all a part of, is that one of my multivalued fields represents all 'previous' values of a certain field. And my second multivalued field is all the 'current' values of that same field. I want to mvexpand the current values, then filter the set down to only the rows where the current (singlevalued) value is NOT contained in the previous set (multivalued), and then I get a nice table of notable additions basically. Open to other suggestions here too. 😃

NOTE: its ugly but i found a hack using eval to forcibly join and re-split the strings on either side. So instead of | mvexpand field1, I do this:

| eval field2=mvjoin(field2, "#_$_%") | mvexpand field1 | eval field2=split(field2, "#_$_%")

1 Solution

steveyz
Splunk Employee
Splunk Employee

This is a bug and will be fixed for 4.2

View solution in original post

steveyz
Splunk Employee
Splunk Employee

This is a bug and will be fixed for 4.2

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...