Hey, I had discovered you can emulate the mvexpand function to avoid its limitation configured by the limits.conf You just have to stats by the multivalue field you were trying to mvexpand, like s...
See more...
Hey, I had discovered you can emulate the mvexpand function to avoid its limitation configured by the limits.conf You just have to stats by the multivalue field you were trying to mvexpand, like so: | stats values(*) AS * by <multivalue_field> That's it, (edit:) assuming each value is a unique value such as a unique identifier. You can make values unique using methods like foreach to pre-append a row-based number to each value, reverse join it, then use split and mvindex to remove the row numbers afterwards. (/Edit.) Stats splits up <multivalue_field> into its individual rows, and the use of values(*) copies data across all rows. As an added measure, you can make sure to avoid unnecessary _raw data to reduce memory use with an explicit fields just for it. It was in my experience, it turned out using | fields _time, * trick does not actually remove every single Splunk internal fields. Removing _raw had to be explicit. | fields _time, xxx, yyy, zzz, <multivalue_field>
| fields - _raw
| stats values(*) AS * by <multivalue_field> The above strategy minimizes your search's disk space as much as possible before expanding the multivalue field.