mvexpand
Description
Expands the values of a multivalue field into separate events, creating one event for each value in the multivalue field.
Syntax
mvexpand <field> [limit=<int>]
Mandatory Arguments
| Parameter | Syntax | Description |
|---|---|---|
field | <field> | The field for which the values are expanded into separate events. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
limit | limit=<int> | Not limited. | The number of the first specified field values to be expanded. |
Query Examples
Example 1
In this example, the system calculates an array of unique values from the items field and saves it as order_items.
source orders-*
| stats values(items) as order_items
| order_items |
|---|
| Chicken Caesar Roll Breakfast Burrito Sweet and Sour Chicken Fish and Chips Hot Dog Gyros Asian Salad |
Subsequently, mvexpand expands the multivalue field order_items, creating a separate event for each item.
| mvexpand order_items
The query execution result may be the following table:
| order_items |
|---|
| Caesar roll with chicken |
| Breakfast burrito |
| Sweet and sour chicken |
| Fish and Chips |
| Hot Dog |
| Gyros |
| Asian Salad |
Example 2
Creating new events for the first 3 values of the multivalue field order_items from Example 1.
... | mvexpand order_items limit=3
The query execution result may be the following table:
| order_items |
|---|
| Caesar roll with chicken |
| Breakfast burrito |
| Sweet and sour chicken |
Example 3
Analysis of user action audits
In this example, the mvexpand command expands the multivalue fields action followed by a count of events for each combination of user and action. The sort command sorts the results in descending order by the count value.
... | mvexpand action
| stats count by user, action
| sort -count
Sample input data:
| _time | host | user | action |
|---|---|---|---|
| 2025-05-30 13:47:08 | ws-01 | smith | locked-out-user-account credential-validated enabled-user-account |
| 2025-05-30 13:49:08 | ws-01 | taylor | added-user-account credential-validated locked-out-user-account |
| 2025-05-30 13:50:08 | ws-02 | jones | credential-validated |
The query execution result may be the following table:
| user | action | count |
|---|---|---|
| smith | credential-validated | 110 |
| taylor | credential-validated | 101 |
| jones | credential-validated | 98 |
| smith | locked-out-user-account | 95 |
| taylor | locked-out-user-account | 89 |
| smith | enabled-user-account | 34 |
| taylor | added-user-account | 22 |