Splunk Search

mvexpand issues and alternative needed


Hi all,

I have below situation. Actual query is much longer so I just need the logic.

cve is the multivalue field. It is seperated by comma. For every affected asset, there are more than one cves in each event and every asset is affected by same or more. I need to seperate them first using comma delim and then expand. My issue is that mvexpand has 500MB default limit. I have raised it to 10000MB. This is not ideal nor it is helping. I need an alternative to mvxpand. mvexpand also takes only one field to expand on. I have one more mvexpand in my query. So trying to look for an alternative option. Please advice. Thanks in advance.

index=abc sourcetype="xyz"

`comment limiting fields to only what I need`
| fields dnsName, macAddress, state, description, vulnPubDate, firstSeen, lastSeen, hasBeenMitigated, port, seeAlso, xref,
plugin_name, plugin_version, plugin_family, pluginInfo, pluginText, plugin_publication_date, plugin_modification_date, patch_publish_date, cvssV3Vector, plugin_id, cve, cvssV3BaseScore, ip, "repository.dataFormat"

`comment cve is a multivalue field separated by comma so I need to them separated and expanded to get correct stats`
| makemv delim="," cve
| mvexpand cve

`comment this is where my streaming commands go below which is long`

Labels (2)
Tags (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!