Splunk Search

mvexpand issues and alternative needed

mbasharat
Builder

Hi all,

I have below situation. Actual query is much longer so I just need the logic.

cve is the multivalue field. It is seperated by comma. For every affected asset, there are more than one cves in each event and every asset is affected by same or more. I need to seperate them first using comma delim and then expand. My issue is that mvexpand has 500MB default limit. I have raised it to 10000MB. This is not ideal nor it is helping. I need an alternative to mvxpand. mvexpand also takes only one field to expand on. I have one more mvexpand in my query. So trying to look for an alternative option. Please advice. Thanks in advance.

index=abc sourcetype="xyz"

`comment limiting fields to only what I need`
| fields dnsName, macAddress, state, description, vulnPubDate, firstSeen, lastSeen, hasBeenMitigated, port, seeAlso, xref,
plugin_name, plugin_version, plugin_family, pluginInfo, pluginText, plugin_publication_date, plugin_modification_date, patch_publish_date, cvssV3Vector, plugin_id, cve, cvssV3BaseScore, ip, "repository.dataFormat"

`comment cve is a multivalue field separated by comma so I need to them separated and expanded to get correct stats`
| makemv delim="," cve
| mvexpand cve


`comment this is where my streaming commands go below which is long`

Labels (2)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...