Splunk Search Command of the Week: mvexpand

 

Data comes in all different formats. On more than a few occasions in Splunk, I’ve worked with data that contains fields with multiple values. A common example is port numbers on a network. It might like something like this:

Figure 1 - Example: port numbers on a network

Figure 1 – Example: port numbers on a network

When searching across data in Splunk like this, you may not want to find every port value, you may just find all information pertaining to “Cal05”. That’s where the Splunk search command mvexpand comes into play.

To call mvexpand into a search, simply type |mvexpand Ports this will expand the field argument give into their own event.

mvexpand Use Cases

Let’s look at this real-time. My search is index=main sourcetype=random | table Name Status Ports, and my results will look like this:

Figure 2 - Search example without mvexpand

Figure 2 – Search example without mvexpand

This is great if you need to see all of the data, but what if you only want to see information about port: Cal05? We can use mvexpand to separate the values to specify our results.

mvexpand Results

Let’s start by using just the search command mvexpand. Here is our search: index=”aodtest” sourcetype=”csv” |makemv delim=”,” Ports | mvexpand Ports | table Name Status Ports


Figure 3 - mvexpand example

Figure 3 – mvexpand example

Great — now every port has its own event. Next, we can specify our results to a specific value.  Let’s search: index=”aodtest” sourcetype=”csv” | makemv delim=”,” Ports | mvexpand Ports| search Ports=” Cal05″ | table Name Status Ports

Figure 4 - mvexpand specified example

Figure 4 – mvexpand specified example

As you can see from the results above, we were able to take all our server information and pull out a specific port and find the information related to that value. Problem solved! Your data is consolidated and more user-friendly thanks to the Splunk search command, mvexpand.

Please note: if you run into a situation where your data has multiple multi-values, you will need to use addition commands like mvzip and makemv.

Ask the Experts

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Author

Start typing and press Enter to search