Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvexpand gives less results

patilsh
Explorer
‎06-19-2017 05:09 PM

Now when i use mvexpand

i just get 600 results in statistics, instead of getting 1412 alll the events as below:
So i am not sure what is causing this problem.

Tags (1)
0 Karma
Reply

KailA
Contributor
‎07-26-2018 11:13 AM

With the screenshot, we can understand that the problem is maybe from the stats and not the mvexpand.

After the stats, there is 6 events and list_maxsize is by default to 100.
After the mvexpand, 600 events, thats totally normal 🙂

You can change the limits as explain in this answers : https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

KailA

0 Karma
Reply

DalJeanis
Legend
‎08-26-2018 01:33 PM

Converted to answer, because this is the most likely scenario.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2017 10:14 PM

Hi @patilsh,

Your ans is limits of mvexpand command. Please go through below links for more details.

Check Limits section of mvexpand.
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Mvexpand

Check how to manage it with limits.conf.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Limitsconf

I hope it will help you.

Thanks
Kamlesh

0 Karma
Reply

DalJeanis
Legend
‎06-19-2017 07:45 PM

One possible error source is that | mvexpand Levelin will delete any record where Levelin is null.

Try this ...

index=my_search
| stats list(eventData.txLevelIn) as Levelin by callId
| eval Levelin=coalesce(Levelin,"") 
| mvexpand Levelin
Reply

dflodstrom
Builder
‎07-26-2018 07:38 AM

I'm not sure why this hasn't been accepted as the answer. It does appear that mvexpand negates any results where the value of the target field is null. I read your answer before looking at your query and ended up replacing my ... | eval filed=if(isnull(field), ... with the coalesce you used. Much appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...