Usage of Splunk Commands : MVEXPAND
Hi Guys !!
We all know that working with multi-value field in Splunk is little bit complicated than the working with single value field. Today we will be discussing about the “mvexpand” command in Splunk. Please find below the main usages of “mvexpand” command.
- As you can understand from the name itself that it expands any given multi-value field.
- Mvexpand command converts a multi-value field or event into a normal single-value field or event.
Find below the skeleton of the usage of the command “mvexpand” in SPLUNK :
| mvexpand <field>
<field> = Name of the multi-value field which you want to expand.
Example:
Before using MVEXPAND:
index="_internal" sourcetype="splunkd_ui_access" | stats values(method) as method by host
Result:
Explanation:
As you can see, we took data from the “_internal” index and the sourcetype name is “splunkd_ui_access” for this example. Then using the “stats” command we created a multivalue field named “method” with the help of “values” function group by “host” field. Now what if we use “mvexpand” after this?
After using MVEXPAND:
index="_internal" sourcetype="splunkd_ui_access" | stats values(method) as method by host | mvexpand method
Result:
Explanation:
Now after using the “mvexpand” command as you can see that method field is expanded into a single-value field with respect to the “host” field.
Hope you are now comfortable in : Usage of Splunk Commands : MVEXPAND
You can also find lots of usage of eval functions in our Eval Function Section which are very helpful for working with multi-value fields.
Happy Splunking !!
