Usage of Splunk Commands : MVEXPAND

Usage of Splunk Commands : MVEXPAND

Hi Guys !!

We all know that working with multi-value field in Splunk is little bit complicated than the working with single value field. Today we will be discussing about the “mvexpand” command in Splunk.  Please find below the main usages of “mvexpand” command.

  • As you can understand from the name itself that it expands any given multi-value field.
  • Mvexpand command converts a multi-value field or event into a normal single-value field or event.

Find below the skeleton of the usage of the command mvexpand in SPLUNK :

| mvexpand <field>

<field> = Name of the multi-value field which you want to expand.

Example:

Before using MVEXPAND:

index="_internal" sourcetype="splunkd_ui_access"
| stats values(method) as method by host

Result: 

1

Explanation:

As you can see, we took data from the “_internal” index and the sourcetype name  is “splunkd_ui_access” for this example. Then using the “stats” command we created a multivalue field named “method” with the help of “values” function group by  “host” field. Now what if we use “mvexpand” after this?

After using MVEXPAND:

index="_internal" sourcetype="splunkd_ui_access"
| stats values(method) as method by host
| mvexpand method

 Result:

2

Explanation:

Now after using the “mvexpand” command as you can see that method field is expanded into a single-value field with respect to the “host” field.

You can also know about :  Usage Of IN Function With Where Command

Hope you are now comfortable in : Usage of Splunk Commands : MVEXPAND

You can also find lots of usage of eval functions in our Eval Function Section which are very helpful for working with multi-value fields.

Happy Splunking !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.