mvexpand command: Examples
The following are examples for using the SPL2 mvexpand command.
To learn more about the mvexpand command, see How the SPL2 mvexpand command works.
1. Expand the values in a specific field
Suppose you have the fields a, b, and c. Each field has the following corresponding values:
| a | b | c |
|---|---|---|
| 1 | x | V1, V2, V3 |
| 2 | y | V4, V5 |
mvexpand command and specify the c field.
... | mvexpand cThis example takes each row from the incoming search results and then create a new row with for each value in the c field.The other fields will have duplicate values, while the c field will have each value from the multivalue field in a separate row.
| a | b | c |
|---|---|---|
| 1 | x | V1 |
| 1 | x | V2 |
| 1 | x | V3 |
| 2 | y | V4 |
| 2 | y | V5 |
2. Limit the number of values from the multivalue field to expand
Limit the number of values to expand to 10. Any remaining values are dropped.
... | mvexpand limit=10 my_mvfield3. Pipeline example
Consider the following raw event data:
| _raw |
|---|
| 9/13/2024 09:00:00
SERVER myserver STATUS: OK Server 1: 192.0.2.1Server 2: 192.0.2.2Server 3: 192.0.2.3 |
To separate the IP addresses from the _raw field, use the mvexpand command.
$pipeline = from $source
| rex field=_raw max_match=0 /(?P<iplist>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
| mvexpand iplist
| into $destination
The results look like this:
| _raw | iplist |
|---|---|
| 9/13/2024 09:00:00
SERVER myserver STATUS: OK Server 1: 192.0.2.1Server 2: 192.0.2.2Server 3: 192.0.2.3 |
192.0.2.1 |
| 9/13/2024 09:00:00
SERVER myserver STATUS: OK Server 1: 192.0.2.1Server 2: 192.0.2.2Server 3: 192.0.2.3 |
192.0.2.2 |
| 9/13/2024 09:00:00
SERVER myserver STATUS: OK Server 1: 192.0.2.1Server 2: 192.0.2.2Server 3: 192.0.2.3 |
192.0.2.3 |
See also
mvexpand command