Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

mvexpand multiple multi-value fields [MACRO BASED SOLUTION]

dmanojbaba
Explorer
‎02-08-2019 03:40 PM

There are already several Splunk Answers around mvexpand multiple multi-value fields.

https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html
https://answers.splunk.com/answers/123887/how-to-expand-multiple-multivalue-fields.html

Some of them also helped in improving Splunk Docs (Example 3)
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand#Examples

Now, how can it auto-scale horizontally for any number of fields?

Here is a macro based solution for this question.

Macro Name:
my_mvexpand(2)

Usage:
my_mvexpand(2) macro takes two arguments.
First argument is one of the multi-value field, which you would like to expand.
Second argument takes the list of other multi-value fields (comma OR space separated), which you would like to zip & expand along with mvfield in the First argument.

### Syntax:
`my_mvexpand("mv_field_1","mv_field_2,mv_field_3")`                //comma separated second argument
`my_mvexpand("mv_field_1","mv_field_2 mv_field_3 mv_field_4")`  //space separated second argument

### Example 1:
| makeresults 
| eval f1=split("a1,a2,a3",",") 
| eval f2=split("b1,b2,b3",",") 
| eval f3=split("c1,c2,c3",",")
    `my_mvexpand(f1,"f2 f3")`

### Example 2:
| makeresults 
| eval x="another_single_value_field" 
| eval f1=split("a1,a2,a3",",") 
| eval f2=split("b1,b2,b3",",") 
| eval f3=split("c1,c2,c3",",") 
| eval f4=split("d1,d2,d3",",")
    `my_mvexpand("f1","f2,f3,f4")`

Please note, similar to other solutions already answered in Splunk Answers, this macro based solution works only with mvfields of same cardinality (i.e. mvfields having same mvcount)

Feel free to use and enhance 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmanojbaba
Explorer
‎02-09-2019 12:38 AM

MACRO BASED SOLUTION

Macro Name:
my_mvexpand(2)

Macro Arguments:
first_mv_field,other_mv_fields

Macro Definition:

| fields - _raw 
| eval fields_value=$first_mv_field$, 
    fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") 
| foreach $other_mv_fields$ 
    [ eval fields_value=mvzip(fields_value,'<<FIELD>>') ] 
| mvexpand fields_value 
| eval fields_value=split(fields_value,","),
    fields_list=split(fields_list,",") 
| eval _raw=mvzip(fields_list,fields_value,"_X==") 
| extract pairdelim="\n" kvdelim="==" 
| fields - _raw,fields_list,fields_value 
| rename *_X as *

macros.conf 

[my_mvexpand(2)]
args = first_mv_field,other_mv_fields
definition = | fields - _raw \
| eval fields_value=$first_mv_field$, \
    fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") \
| foreach $other_mv_fields$ \
    [ eval fields_value=mvzip(fields_value,'<<FIELD>>') ] \
| mvexpand fields_value \
| eval fields_value=split(fields_value,","),\
    fields_list=split(fields_list,",") \
| eval _raw=mvzip(fields_list,fields_value,"_X==") \
| extract pairdelim="\n" kvdelim="==" \
| fields - _raw,fields_list,fields_value \
| rename *_X as *

View solution in original post

Reply
Solved! Jump to solution
Solution

dmanojbaba
Explorer
‎02-09-2019 12:38 AM

MACRO BASED SOLUTION

Macro Name:
my_mvexpand(2)

Macro Arguments:
first_mv_field,other_mv_fields

Macro Definition:

| fields - _raw 
| eval fields_value=$first_mv_field$, 
    fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") 
| foreach $other_mv_fields$ 
    [ eval fields_value=mvzip(fields_value,'<<FIELD>>') ] 
| mvexpand fields_value 
| eval fields_value=split(fields_value,","),
    fields_list=split(fields_list,",") 
| eval _raw=mvzip(fields_list,fields_value,"_X==") 
| extract pairdelim="\n" kvdelim="==" 
| fields - _raw,fields_list,fields_value 
| rename *_X as *

macros.conf 

[my_mvexpand(2)]
args = first_mv_field,other_mv_fields
definition = | fields - _raw \
| eval fields_value=$first_mv_field$, \
    fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") \
| foreach $other_mv_fields$ \
    [ eval fields_value=mvzip(fields_value,'<<FIELD>>') ] \
| mvexpand fields_value \
| eval fields_value=split(fields_value,","),\
    fields_list=split(fields_list,",") \
| eval _raw=mvzip(fields_list,fields_value,"_X==") \
| extract pairdelim="\n" kvdelim="==" \
| fields - _raw,fields_list,fields_value \
| rename *_X as *
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...