There are already several Splunk Answers around mvexpand multiple multi-value fields.
https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html
https://answers.splunk.com/answers/123887/how-to-expand-multiple-multivalue-fields.html
Some of them also helped in improving Splunk Docs (Example 3)
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand#Examples
Now, how do I deliver a better solution [*to feature in next installment of Smart AnSwerS ? ;) *]
Here is a `macro` based solution, which can scale horizontally for any number of fields.
Please note, similar to other solutions, this works only with mvfields of same cardinality (i.e. mvfields having same mvcount)
Macro Name:
`my_mvexpand(2)`
Arguments:
`first_mv_field,other_mv_fields`
**macros.conf**
[my_mvexpand(2)]
args = first_mv_field,other_mv_fields
definition = | fields - _raw \
| eval fields_value=$first_mv_field$, \
fields_list="$first_mv_field$".",".replace("$other_mv_fields$"," ",",") \
| foreach $other_mv_fields$ \
[ eval fields_value=mvzip(fields_value,'<>') ] \
| mvexpand fields_value \
| eval fields_value=split(fields_value,","),fields_list=split(fields_list,",") \
| eval _raw=mvzip(fields_list,fields_value,"_X==") \
| extract pairdelim="\n" kvdelim="==" \
| fields - _raw,fields_list,fields_value \
| rename *_X as *
Usage:
`my_mvexpand` macro takes two arguments.
First argument is one of the multi-value field, which you would like to expand.
Second argument takes the list of other multi-value fields (comma OR space separated), which you would like to zip & expand along with mvfield in the First argument.
### Syntax:
`my_mvexpand("mv_field_1","mv_field_2,mv_field_3")` //comma separated second argument
`my_mvexpand("mv_field_1","mv_field_2 mv_field_3 mv_field_4")` //space separated second argument
### Example 1:
| makeresults
| eval f1=split("a1,a2,a3",",")
| eval f2=split("b1,b2,b3",",")
| eval f3=split("c1,c2,c3",",")
`my_mvexpand(f1,"f2 f3")`
### Example 2:
| makeresults
| eval x="another_single_value_field"
| eval f1=split("a1,a2,a3",",")
| eval f2=split("b1,b2,b3",",")
| eval f3=split("c1,c2,c3",",")
| eval f4=split("d1,d2,d3",",")
`my_mvexpand("f1","f2,f3,f4")`
Feel free to use and enhance :)
↧
