Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

mvexpand gives less results

patilsh
Explorer
‎06-19-2017 05:09 PM

Now when i use mvexpand

i just get 600 results in statistics, instead of getting 1412 alll the events as below:
So i am not sure what is causing this problem.

Tags (1)
0 Karma
Reply

KailA
Contributor
‎07-26-2018 11:13 AM

With the screenshot, we can understand that the problem is maybe from the stats and not the mvexpand.

After the stats, there is 6 events and list_maxsize is by default to 100.
After the mvexpand, 600 events, thats totally normal 🙂

You can change the limits as explain in this answers : https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

KailA

0 Karma
Reply

DalJeanis
Legend
‎08-26-2018 01:33 PM

Converted to answer, because this is the most likely scenario.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2017 10:14 PM

Hi @patilsh,

Your ans is limits of mvexpand command. Please go through below links for more details.

Check Limits section of mvexpand.
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Mvexpand

Check how to manage it with limits.conf.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Limitsconf

I hope it will help you.

Thanks
Kamlesh

0 Karma
Reply

DalJeanis
Legend
‎06-19-2017 07:45 PM

One possible error source is that | mvexpand Levelin will delete any record where Levelin is null.

Try this ...

index=my_search
| stats list(eventData.txLevelIn) as Levelin by callId
| eval Levelin=coalesce(Levelin,"") 
| mvexpand Levelin
Reply

dflodstrom
Builder
‎07-26-2018 07:38 AM

I'm not sure why this hasn't been accepted as the answer. It does appear that mvexpand negates any results where the value of the target field is null. I read your answer before looking at your query and ended up replacing my ... | eval filed=if(isnull(field), ... with the coalesce you used. Much appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...