Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

mvexpand gives less results

patilsh
Explorer
‎06-19-2017 05:09 PM

Now when i use mvexpand

i just get 600 results in statistics, instead of getting 1412 alll the events as below:
So i am not sure what is causing this problem.

Tags (1)
0 Karma
Reply

KailA
Contributor
‎07-26-2018 11:13 AM

With the screenshot, we can understand that the problem is maybe from the stats and not the mvexpand.

After the stats, there is 6 events and list_maxsize is by default to 100.
After the mvexpand, 600 events, thats totally normal 🙂

You can change the limits as explain in this answers : https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

KailA

0 Karma
Reply

DalJeanis
Legend
‎08-26-2018 01:33 PM

Converted to answer, because this is the most likely scenario.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2017 10:14 PM

Hi @patilsh,

Your ans is limits of mvexpand command. Please go through below links for more details.

Check Limits section of mvexpand.
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Mvexpand

Check how to manage it with limits.conf.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Limitsconf

I hope it will help you.

Thanks
Kamlesh

0 Karma
Reply

DalJeanis
Legend
‎06-19-2017 07:45 PM

One possible error source is that | mvexpand Levelin will delete any record where Levelin is null.

Try this ...

index=my_search
| stats list(eventData.txLevelIn) as Levelin by callId
| eval Levelin=coalesce(Levelin,"") 
| mvexpand Levelin
Reply

dflodstrom
Builder
‎07-26-2018 07:38 AM

I'm not sure why this hasn't been accepted as the answer. It does appear that mvexpand negates any results where the value of the target field is null. I read your answer before looking at your query and ended up replacing my ... | eval filed=if(isnull(field), ... with the coalesce you used. Much appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...