Splunk Search

How can I use mvexpand and mvcombine such that they don't crush other multivalued fields too?

sideview
SplunkTrust
SplunkTrust

I have a situation where I have two multi-valued fields in my data, and i want to call mvexpand on ONE of the fields and leave the second field multi-valued.
Unfortunately mvexpand seems to fall down here. It correctly expands out my first field but it at the same time flattens my other multivalued value. (For the record mvcombine has the same problem)

Here's a simple but completely artificial scenario to reproduce:

| stats count | eval field1="foo-bar-baz" | eval field2="fred-mildred" | makemv field1 delim="-" | makemv field2 delim="-"

That gives me one row, and 'field1' has 3 values and 'field2' has 2 values. Now tack on an mvexpand:

| stats count | eval field1="foo-bar-baz" | eval field2="fred-mildred" | makemv field1 delim="-" | makemv field2 delim="-" | mvexpand field1

I should have 3 rows now, and each of the rows should still have the multivalued value for field2. However it throws away the multivalued values and mysteriously falls back to the original string value.....

Is there any way around this problem?

Ultimately what this is all a part of, is that one of my multivalued fields represents all 'previous' values of a certain field. And my second multivalued field is all the 'current' values of that same field. I want to mvexpand the current values, then filter the set down to only the rows where the current (singlevalued) value is NOT contained in the previous set (multivalued), and then I get a nice table of notable additions basically. Open to other suggestions here too. 😃

NOTE: its ugly but i found a hack using eval to forcibly join and re-split the strings on either side. So instead of | mvexpand field1, I do this:

| eval field2=mvjoin(field2, "#_$_%") | mvexpand field1 | eval field2=split(field2, "#_$_%")

1 Solution

steveyz
Splunk Employee
Splunk Employee

This is a bug and will be fixed for 4.2

View solution in original post

steveyz
Splunk Employee
Splunk Employee

This is a bug and will be fixed for 4.2

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...