Splunk Search

mvexpand issues and alternative needed


Hi all,

I have below situation. Actual query is much longer so I just need the logic.

cve is the multivalue field. It is seperated by comma. For every affected asset, there are more than one cves in each event and every asset is affected by same or more. I need to seperate them first using comma delim and then expand. My issue is that mvexpand has 500MB default limit. I have raised it to 10000MB. This is not ideal nor it is helping. I need an alternative to mvxpand. mvexpand also takes only one field to expand on. I have one more mvexpand in my query. So trying to look for an alternative option. Please advice. Thanks in advance.

index=abc sourcetype="xyz"

`comment limiting fields to only what I need`
| fields dnsName, macAddress, state, description, vulnPubDate, firstSeen, lastSeen, hasBeenMitigated, port, seeAlso, xref,
plugin_name, plugin_version, plugin_family, pluginInfo, pluginText, plugin_publication_date, plugin_modification_date, patch_publish_date, cvssV3Vector, plugin_id, cve, cvssV3BaseScore, ip, "repository.dataFormat"

`comment cve is a multivalue field separated by comma so I need to them separated and expanded to get correct stats`
| makemv delim="," cve
| mvexpand cve

`comment this is where my streaming commands go below which is long`

Labels (2)
Tags (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!