Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

mvexpand multiple fields

michaelrosello
Path Finder
‎06-25-2018 01:24 AM

Is there a way to use mvexpand on multitple values?alt text

This is the result of my current search and I want it to look like this below. Note that there will multiple multivalue fields so i cannot use the mvzip or can I?

SESSIONID    Timstamp    Value1   Value2  Value3 
1             06/21        1         2      3 
1             06/22        2         3      4
Tags (2)
Preview file
19 KB
Reply

493669
Super Champion
‎06-25-2018 01:46 AM

First use mvzip the multi-values into a new field:

 | eval total=mvzip(value1, value2)    // create multi-value field using value1 and value2
 | eval total=mvzip(total, value3)  // add the third field

Now, Expand the field and restore the values:

 | mvexpand total                    // separate multi-value into into separate events
 | makemv total delim=","            // convert the reading into a multi-value
 | eval value1=mvindex(total, 0)      // set value1 to the first value of total
 | eval value2=mvindex(total, 1)      // set value2 to the second value of total
 | eval value3=mvindex(total, -1)     // set value3 to the last value of total
Reply

ryhluc01
Communicator
‎04-16-2019 03:10 PM

The -1 @ the end is recapturing the second result instead of the last. To fix this just remove the "-" in the last eval.

0 Karma
Reply

ryhluc01
Communicator
‎04-16-2019 02:11 PM

Can you close out this question by choosing @493669 answer?

0 Karma
Reply

madan27
Explorer
‎04-09-2019 03:44 AM

Please check this solution: https://answers.splunk.com/answers/724138/

0 Karma
Reply

FrankVl
Ultra Champion
‎06-25-2018 02:11 AM

To what extend would such an approach risk mixing up the connection between different 'rows' in the multi valued fields? Can you be sure that the first entry in multi valued field1 corresponds with the first entry in multi valued field2?

Might be safer to extract it as 1 field to begin with, then expand and only then split out to the individual fields?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...