mvexpand command: Overview, syntax, and usage
The SPL2 mvexpand command expands the values in a multivalue field into separate events, one event for each value in the multivalue field.
Use these links to quickly navigate to the main sections in this topic:
How the SPL2 mvexpand command works
The SPL2 mvexpand command creates individual events, or rows, for each value in a multivalue field. For example, the following search results contain the field productId which has multiple values.
| ipaddress | total_purchases | total_products | productId |
|---|---|---|---|
| 107.3.146.207 | 72 | 3 | DB-SG-G01
FS-SG-G03 WC-SH-G04 |
| 128.241.220.82 | 95 | 2 | DB-SG-G01
DC-SG-G02 |
| 194.215.205.19 | 60 | 4 | DB-SG-G01
DC-SG-G02 FS-SG-G03 WC-SH-G04 |
| 211.166.11.101 | 91 | 2 | DB-SG-G01
WC-SH-G04 |
| 87.194.216.51 | 134 | 3 | DC-SG-G02
FS-SG-G03 WC-SH-G04 |
If you add ... | mvexpand productId to your search, a new row is created for each product ID. The multivalued fields are expanded into individual search results. The other fields are unchanged.
The results look something like this:
| ipaddress | total_purchases | total_products | productId |
|---|---|---|---|
| 107.3.146.207 | 72 | 3 | DB-SG-G01 |
| 107.3.146.207 | 72 | 3 | FS-SG-G03 |
| 107.3.146.207 | 72 | 3 | WC-SH-G04 |
| 128.241.220.82 | 95 | 2 | DB-SG-G01 |
| 128.241.220.82 | 95 | 2 | DC-SG-G02 |
| 194.215.205.19 | 60 | 4 | DB-SG-G01 |
| 194.215.205.19 | 60 | 4 | DC-SG-G02 |
| 194.215.205.19 | 60 | 4 | FS-SG-G03 |
| 194.215.205.19 | 60 | 4 | WC-SH-G04 |
Syntax
The required syntax is in bold.
mvexpand
[limit=<int>]
<field>
Required arguments
field
Syntax: <field>
Description: The name of the multivalue field that you want to expand. You can only specify one field to expand.
Optional arguments
limit
Syntax: limit=<int>
Description: Specifies the number of values to expand in the multivalue field array. If there are any remaining values in the array those values are dropped. If omitted limit defaults to 0, which means there is no limit and all values are expanded.
Default: 0
Usage
You can use evaluation functions and statistical functions on multivalue fields or to create multivalue fields.
Differences between SPL and SPL2
The differences between the SPL and SPL2 mvexpand command are described in these sections.
Command options must be specified before command arguments
| Version | Example |
|---|---|
| SPL | ...mvexpand myfield limit=10 |
| SPL2 | ...mvexpand limit=10 myfield |
See also
mvexpand command