Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract Multivalue fields?

shrek
Engager
‎06-04-2022 05:54 PM

Lets just say I have multiple events like this:

names

John

Sam

Todd
favorite_colors

Blue

Yellow

Green

Each event might have a different number of field values but the ratio of names to favorite_colors is 1:1.

Is it possible to extract these into new events or display them separately in a table like this:

name favourite_color
John Blue
Sam Yellow
Todd Green

 

I have tried mvexpand but that only works for 1 multivalue field.

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-04-2022 07:23 PM

As you say, mvexpand works on one event, so there are a couple of ways to do it, here is one

| eval row=mvrange(0,mvcount(name))
| mvexpand row
| eval name=mvindex(name,row)
| eval favourite_colour=mvindex(favourite_colour,row)
| fields - row

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-04-2022 07:23 PM

As you say, mvexpand works on one event, so there are a couple of ways to do it, here is one

| eval row=mvrange(0,mvcount(name))
| mvexpand row
| eval name=mvindex(name,row)
| eval favourite_colour=mvindex(favourite_colour,row)
| fields - row
Reply
Solved! Jump to solution

shrek
Engager
‎06-04-2022 08:04 PM

This was exactly what I was looking for, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...