Splunk mvexpand. Mar 8, 2016 · i have splunk 6.

Splunk mvexpand Raw event snippet looks like this: Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, etc When I try mvexpand index=cisco sourcetype Dec 13, 2023 · In short: not use mvexpand and solve the issue in a generic fashion. Nov 11, 2017 · @blairmd, as @kamlesh_vaghela has mentioned, 1) You should better fix empty values in JSON data being logged rather than at search time mocking dummy value (enrichment of data after stats command is better than cooking up _raw data). Syntax. To summarize all fields, remove the field list. Doing some searching here on answers I came across this previous answer: Sep 11, 2024 · Yes! a combination of makemv delim="," views. child child_Name dv_u_parent_class fqdn_name direction name parent 55555 xxxx PROD yyyy PROD zzzz-FSE2 abc. Apr 16, 2019 · Since the release of Splunk SOAR 6. Feb 8, 2019 · Here is a macro based solution for this question. txt" value1 OR value2 | eval my_field = split(my_field, " ") | mvex answers. I was finally able to accomplish this using spath & mvexpand. Syntax Aug 8, 2020 · But when i am using spath and mvexpand i am getting 2/4 for all ab_score and all a_id. The SPL2 mvexpand command creates Mar 12, 2021 · Hi, how do i go about that? I have not tried that yet, i'm not experienced enough to handle this sort of JSON. I'm having the following error: command. For instance I have the following logs. host. got me what I was looking for. thanks! Jul 31, 2021 · But when i am using spath and mvexpand i am getting 2/4 for all ab_score and all a_id. Second argument takes the list of other multi-value fields (comma OR space separated), which you would like to zip & expand along with mvfield in the First argument. If it's because you did some huge "stats Dec 17, 2023 · I agree with @richgalloway response here for this particular example. If there are other fields in the original event, those field values are included in the new rows when the array is expanded. Splunk, Splunk>, Turn Data Into Doing, Data-to Mar 27, 2012 · The purpose is to later use mvexpand on contract and not get unnecessary duplicate records since we don't care about contract_line. You can only specify one field to expand. This search is pulling systems belonging to a specific group in AD and then cleaning up the name from the member_dn field. Aug 15, 2022 · ERROR - command. The answers here work if each field in a row has the same cardinality. conf setting across search head and indexer clusters. Dec 2, 2021 · I'm having a problem with mvexpand in Splunk. First, mvzip the multi-values into a new field: | eval reading=mvzip(vivol, usage) // create multi-value field for reading | eval reading=mvzip(reading, limit) // add the third field Feb 8, 2016 · Thanks for your help. Aug 26, 2019 · BUT, if i use mvexpand:| mvexpand msglog | fillnull msglog value=0 | mvexpand component | fillnull component value=0 | dedup msglog component. Try using the split function to break up the field then mvexpand should work. 2) Also, you JSON does not seem to be formatted correctly in the q Sep 16, 2024 · Here's an example using fieldsummary. 0, the Splunk SOAR team has been hard at work implementing new features and Learn and Earn with Splunk Learning Rewards! Now for a limited time, we are offering double points for paid Security and Observability courses. (Avoid multi-valued fields where you expect to have more than 1000 values. The query in question is the following: sourcetype="test" | spath output=id "schedule{}. My search: host=test* | transaction Customer maxspan= How to use mvexpand in a table where there are multiple columns with different data count? Jul 28, 2021 · Mvexpand is running into limitations with memory and I cannot adjust it high enough to extract all of the values. Otherwise, do not change the mvzipped variable. Jan 18, 2024 · ommand. I've been trying to get spath and mvexpand to work for days but apparently I am not doing something right. i have used the below spl to extract set of 8 fields from a statistics table shared in teh case . id" | spath output=recurrence "schedule{}. See Use default fields in the Knowledge Manager Manual. If you deal with complex JSON on a regular basis, be sure to check out the JMESPath app for Splunk. 1. This is an emulation you can play with and compare with real data: Dec 6, 2019 · I am running into an issue with some spath and mvexpand functions in splunk. First, mvzip the multi-values into a new field: | eval reading=mvzip(vivol, usage) // create multi-value field for reading | eval reading=mvzip(reading, limit) // add the third field Nov 8, 2017 · Dear All, We have a scenario, where For each Application_ID, Application_Name is having multi-value and delimited. Pull records, mvexpand on a field named INTEL. Create a single field with all the eventual fields you want, so you have a single MV, then use mvexpand to create the multiple entries, then do another parse on the (now single-) value to extract the three fields. Memory threshold of 500MB as configured in limits. Join the Community. I know I can create a MV field with an index and use mvexpand and then stats to get all back into a single event, but I run into memory issues with this in my own data. When viewing the log event within splunk, the requestBody stays as string. com filter: confidence >= 60 id: 2087 integrations: [ [-] { [-] name: nitro product: nitro product_version: 9. mvexpand create multiple row with all column matching value. com will be read-only from 5:00pm PDT June 4th - 9:00am PDT June 9th. Something like values() but limited to one event at a time. Event=A A data platform built for expansive data access, powerful analytics and automation Thanks @Anonymous I guess I am not understanding why I would need to do a regex. I believe that mvexpand will help with the formatting of my report but I have noticed that it seems to work with onl May 23, 2017 · It is easy to expand one mutlivalue field using mvexpand, but if i try to expand both fields i get duplicate rows. We are currently using a command backed by a Python script to do this for all fields (thanks Vincent), but I'm wondering if there's a way to do it pure splunk within a query for one particular field. conf value of max_memory_usage to higher value than 500MB but it's not working in version 6. It would look somet Jun 26, 2019 · Hi @monawwer , You cannot use mvexpand in props. this is the query i am running. log* ``` get top 3 Feb 15, 2013 · I need the ability to dedup a multi-value field on a per event basis. This is a multi-value field that could have anywhere from 1 to 11 different values. timeUnixNano (The fields - xxx commands are not essential; they just declutter view. Labels (2) Labels Labels: fields; Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything Apr 17, 2024 · This is the only code requiring prior knowledge about data fields ``` | mvexpand hw. Jun 3, 2024 · I give my splunk 50GB Mem with max_mem_usage_mb = 50480 in the limits. . First, I will share the single field version of the macro; Apr 19, 2021 · The issue for this solution is where the field that the "mvexpand-like" process is being performed on has no values for one or more events. One of the fields in my dataset sometimes has a single value - NULL - in which Aug 15, 2019 · Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data Get More Out of Your Security Practice With a SIEM Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024 | 11AM PT / 2PM ETREGISTER Apr 12, 2019 · Using MVZip and MVExpand on MultiValue fields where array sometimes doesnt exists Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are Feb 9, 2019 · MACRO BASED SOLUTION Macro Name: my_mvexpand(2) Macro Arguments: first_mv_field,other_mv_fields Macro Definition: | fields - _raw | eval How to use mvexpand in a table where there are multiple columns with different data count? There are a couple of issues which often come up with the limits of mvexpand, one of these is the memory limit, the other is that it only applies to one field. Splunk, Splunk>, Turn Data Into Doing, Data-to Kinda a new to splunk . It Sep 1, 2017 · If i mvexpand passenger field it will lead to duplicates of Flight, if I mvexpand flight it will show 4 passenegers for each flight. If you are working with the raw events but also have fields extracted, then remove _raw if you do not need it any more. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are Dec 26, 2017 · What I am trying to do is eval the fields and mvzip the data, mvexpand that and then table it. we would like the data loaded into individual rows, in the following manner - Example: Application_Name is multi-value and delimited (A:B:C) Application_ID Application_Name 1 A:B:C 2 D: Nov 24, 2019 · mvexpandメモリ超過@Splunk Answer multivalueを展開してくれる mvexpand は_limits. I'm currently looking in to somehow creating a mvfield from the records array and handling the elements of that field individually using spath (e. Oct 27, 2017 · Ok with parts of Hiroshi's query and some hints from collegues and the fact that due to that I was able to do the mvexpand after the stats sum i figured it out: Apr 23, 2021 · There are a couple of issues which often come up with the limits of mvexpand, one of these is the memory limit, the other is that it only applies to one field. Since the event provides me a value indicating state of the memory before/after the GC acti Feb 26, 2022 · I'm searching this within an index how do i write so it looks at the whole message. Note, however, that SplunkWeb doesn't handle results with many columns as well as it does results with many rows. If you have not created private apps, contact your Splunk Jul 25, 2022 · mvexpand doesn't work because the field is not a multi-value field. Unfortunately mvexpand seems to fall down here. Using the trick in the linked answer, only mvzip the field if it is not null. conf is only used for field extractions for search-time operations. It correctly expands out my first field but it at the same time flattens my other multivalued Nov 5, 2012 · The advice from sdaniels in his comment worked like a charm. power{}. Which is not working along with this. But the question is why do you have such a big mvexpand. Please try to keep this discussion focused on the content covered in this documentation topic. Is there a way for us to get the memory usage by mvexpand command in a scheduled search? Thank you Feb 8, 2019 · Use mvzip, makemv and then reset the fields based on index. Any solution to join data an avoid the use of mvexpand? Feb 26, 2021 · I'm looking for another way to run the search below and expand the computer field. Feb 27, 2022 · They're not in same order, some fields are repeated and some not, but each block open and close with 16R:FIN. But unfortunately both the commands are not working properly. Jul 9, 2021 · Mvexpand command is used to normalize the multivalues field to new events associating with single field value. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII. - Generally you should look at the option of changing your query in such a way that you do not require to use mvexpand. So it's probably worth mentioning that the field PCIDSS is just appended at search time for documentation purposes. for example: if deviceMac 90:dd:5d:bf:10:54 is connected to SA91804F4A, then i Jul 18, 2024 · One of the best ways to understand what is happening in the environment for security, observability or any other use case is to visualise the data. And in a simple case like this, it's not too bad, but if you have to unwrap a few JSON arrays simultaneously the mvzip() and mvexpand approach become super tedious. I'd like to separate out the values to get a count for each. conf. I'm not sure why _raw was invalid, but perhaps it is a change with version 5 of Splunk. Each task can be subject to You can raise the limits of course to delay the onset of the problem a little, as others already mention. Replace the base search and field list as needed. In this blog post, we use the Splunk App for Data Science and Deep Learning (DSDL) and Graphistry to visualise Apr 19, 2021 · Depending on what fields you absolutely need AFTER the mvexpand, try first to remove any fields you will not use after you have expanded the events. Its a DTO which contains various fields, one of them being requestBody which is a string and it contains the JSON Payload my end point is receiving. Here it revert back the changes of mvcombine. First argument is one of the multi-value field, which you would like to expand. |target |condition |msglog |component Sep 18, 2012 · I tried mvexpand but it only works with one mv_field. 3. splunk. The mvexpand command expands the values of a multivalue field into separate events, one event for each value in the multivalue field. Is there a way to increase or diable the limitation? earliest="@d" splunk_server="Splunk4-02" index="rnc" sourcetype="RNC" managedObject_class="WCEL" "HSDPALayeringCommonChEnabled" OR "HSUPAEnable Please try to keep this discussion focused on the content covered in this documentation topic. It also logs a field indicating the time elapsed during the GC activity. Actual data with multivalue. It should fill NA or NULL if there is not corresponding data 3. Syntax Nov 7, 2022 · As you just need name and visuallyCompleteTime, you should only spath out those two fields, combine them, filter them for the ones required, expand them, then filter again and finally do the calcs. Close with 16S:FIN. Mar 27, 2017 · I need to expand multiple MV fields in Splunk. Jan 9, 2012 · Solved: Hi I previously asked this question and marked it as answered following eelisio2's response. Getting Started. Dec 3, 2024 · Edge Processor Validated Architecture. Jul 31, 2019 · I have the Cisco ISE app loaded and there is a field, Framed_IPv6_Address that may contain up to six IPv6 addresses. mvexpand Description. This is true even if you were using the real mvexpand, that is, if you mvexpand a field which has no entries for a particular event, this event gets removed. mvexpand <field> [limit See full list on docs. If you're mvexpanding original events, maybe it's worth reviewing onboarding of this sourcetype. It is opposite of the mvcombine. Below is the example what I'm getting. ) Hope this helps. Mar 21, 2020 · Is it possible to split comma separated values into a single column using field extraction? for example: input: abcd, efgh, ijkl, mnop. 260329+00:00 title Oct 31, 2024 · 1. This is not working, and characters between each tag 93B is not constant. If you are a Splunk Cloud Platform administrator with experience creating private apps, see Manage private apps in your Splunk Cloud Platform deployment in the Splunk Cloud Platform Admin Manual. Numbers are sorted based on the first digit. index="dynatrace" sourcetype="dynatrace:usersession" | spath output=user_actions path="userActions{}" | mvexpand user Apr 26, 2011 · Hi, I needed to use mvexpand in my search(see below), but it limited my search results to 10000 events. You can trigger the default 500MB memory limit with | makeresults | eval foo = mvrange(0,10000) | mvexpand foo in some splunk instances, for example - 20000 simple values shouldn't need 5MB, let alone 500. and mvexpand views. 2. May 26, 2016 · Solved: I am using mvexpand for getting multiple fields from an XML and grouping them. Lexicographical order sorts items based on the values used to encode the items in computer memory. My goal to connect first half of passengers with first flight, second part with second flight, than expand to create single record for each registereted passenger (I wan to create dashboard with searching by Please try to keep this discussion focused on the content covered in this documentation topic. All other single field values and unexpanded multivalue field values will remain the same in each new event. conf_設定のメモリ容量を超過してしまうとイベントが省略されてしまう。 そのために先の記事では_やる前に _raw を削りなさい_というコツを教えてくれる。 Jun 3, 2019 · The problem comes after the stats when I tried to mvexpand those fields. It them puts it into a lookup table to use in ES. I have developed a set of macros which go some way to solving both these issues. My current search is source="log. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to Splunk and S3. I need them in unique line as the data before16S: is constant and should append to all reiterat. | fields Monitor_Name Component | eval Component=split(Component, " ") | mvexpand Component Apr 9, 2019 · Is there a way to use mvexpand on multitple values? This is the result of my current search and I want it to look like this below. Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. The data coming from the first source is so huge, and I have more than 4k rows. There is an additional field with msglog=invalid login with component=old, which is not correct. mvexpand: output will be truncated at 1103400 results due to excessive memory usage. Mvexpand is running into limitations with m Feb 27, 2022 · Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. However, this field is becoming large with 100+ unique values and I only want to count a couple values. At least with the production data set I'm working with it should translate to about 40 Nov 18, 2015 · Handling JSON arrays in Splunk can be difficult and require many SPL commands. I need to further use other filters (search). It work for entry that has data but will ignore those empty change which i also want it to display . Syntax Oct 20, 2020 · mvexpand command syntax details Syntax. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are Mar 29, 2021 · Solved: I am trying to get counts based on comma delimited values for specified groupings of events. energy{}. Here's an example of 2 (note confidence value differs): Event 1: { [-] email: hidden@hidden. mvexpand mvexpand Description. Jul 9, 2020 · From the observation, mvexpand does not truncate the result when it is over the limit. However if you want a more generalize approach to parsing out a table being ingested in Splunk with this format in _raw (capable of accounting for different headers and not having to build out a regex for each time) you may want to try the SPL below. The ordering within the mv doesn't matter to me, just that there aren't duplicates. The mvexpand command is a transforming search command, and props. Can anybody please help me understand what's going wrong. Any help is greatly appreciated. 3 and i am using query that have command mvexpand but mvexpand truncate result because of exceed 500MB memory usage i have found on splunk doc of version 5 that i can edit limits. Splunk, Splunk>, Turn Data Into Doing, Data Jun 18, 2021 · Here is a runanywhere example - the first part sets up some dummy data with different combinations of text and dates; the second part effectively is the results of the lookup (and should be replaced with the real lookup; and, the last part does the mvzip and mvmap to process the matching to return which entry matched the text and date. Nov 10, 2017 · Hello friendly Splunk community, May I ask your assistance in dealing with a multivalue field that sometimes contains one item and sometimes does not contain that item. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. 0. mvexpand. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are There are a couple of issues which often come up with the limits of mvexpand, one of these is the memory limit, the other is that it only applies to one field. Feb 3, 2011 · Is there a way to compare the values in two multivalues fields irrepsective of the positions of the values that lie withing? If not is there a way to sort the values within a multivalue field? Currently I am using a simple field!=field expression however since I NOT am interested in the differences Jan 17, 2024 · Trying to expand the multivalue field with one to one mapping as shown in image. Sending data to splunk via HEC. Query: | inputlookup cee_d Jul 6, 2015 · i have search query that seperate multivalue and expand them into various result. For example: Value1 Value2 Value3 Value4 "Value with a space 5" Value6 I think I need to use makemv, however this just nets me a exactly what you would expect: | makeresults | eval temp="Value1 Value2 Value3 Valu May 11, 2020 · Looking for some assistance extracting all of the nested json values like the "results", "tags" and "iocs" in the screenshot. mvexpand: output will be truncated at 3200 results due to excessive memory usage. Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. If you see column Id, you are seeing more data. Setting a new field to the value of _raw and then using mvexpand on that works. For example - the JSON data looks like this: VerificationItems: [ { Description: Description1 } { Description: De For Splunk Cloud Platform, you must create a private app to configure multivalue fields. Numbers are sorted before letters. Here is the sample data user Mail_diff GMail_diff Opt_diff A NULL NULL NULL B See Use the deployer to distribute apps and configuration updates in Splunk Enterprise Distributed Search and Update common peer configurations and apps in Splunk Enterprise Managing Indexers and Clusters of Indexers for information about changing the limits. Network data is vital since it tells us how systems are connected and understanding it uplifts resiliency across the organisation. conf / [mvexpand] / max_mem_usage_mb has been reached. Miss I a hidden config-option? Best regards Marco Sep 23, 2022 · Use mvzip, makemv and then reset the fields based on index. Here is my search: spath output=Manager Nov 15, 2018 · Hello, I am looking for optimization advice for a use case in which I need to create new event data and then calculate time delta between two timestamps. Nov 24, 2020 · My understanding is that this is basically doing the dirty work of mvexpand, but in a way that Splunk can hopefully do without blowing up every event at the same time? Thanks! 0 Karma JSONデータがSplunkでどのように処理されるかを理解する; spathコマンドを使用して自己記述型データを解釈する; mvzipコマンドとmvexpandコマンドを使用して複数値フィールドを操作する; 特定のコマンドや関数で単数値フィールドを複数値フィールドに変換する Nov 12, 2018 · Yes, mvexpand is very inefficient. srv. The mvexpand command can't be applied to internal fields. THe job inspector shows that the incoming data are a few 10 MB. The Edge Processor solution is a data processing engine that works at the edge of your network. The amount of data is huge, and then the mvexpand is always truncated. mvexpand [limit=<int>] <field> How the SPL2 mvexpand command works. Splunk, Splunk>, Turn Data Into Doing, Data-to mvexpand create multiple row with all column matching value. The required syntax is in bold. recurrence" |mvexpand id|fields _time id recurrence Oct 23, 2020 · Mvexpand (Command) This command expands the values of a multivalue field into separate events, one event for each value in the multivalue field. 3 } { [-] name: paloaltonetworks product: paloaltonetworks product_version: 3020 } ] last_intelligence: 2017-02-21T11:54:39. Kinda a new to splunk . Right now I do a generic stats count search of: index=foo | stats count by sig_names,sig_ids | sort -count and the res expand command overview. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E Sep 3, 2023 · 5. I don't see how I specify the delimited here. From your question, I understan Jul 12, 2019 · I have a space delimited field that may contain quoted values that also include spaces. In short: not use mvexpand and solve the issue in a generic fashion. com Mvexpand command. I need to fetch data based on deviceMac such that row gets corresponding data from each column. timeUnixNano | mvexpand hw. Jul 31, 2019 · this is a kind of restricted data where i cannot share but i can share you a part of logic which i have used . Dec 7, 2016 · I have an event, from JVM garbage collection activity, and it is logged with a timestamp representing the beginning of the GC activity. com ci_appld ci_ap Mar 22, 2013 · I asked a question earlier regarding the preformatting of a csv report which several multivalue fields (Preformat Automatic Report - CSV) and was given the suggestion to use mvexpand. It's a single-value field with embedded newlines. ) If not possible, then you can look at the option provided by I hope this helps!!! Hello everybody, I'm working on a query that does the following: 1. Mar 8, 2016 · i have splunk 6. Jul 25, 2022 · mvexpand doesn't work because the field is not a multi-value field. I get the following error: "output will be truncated at 3700 results due to excessive memory usage. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100 Jan 31, 2024 · The SPL2 mvexpand command expands the values in a multivalue field into separate events, one event for each value in the multivalue field. Any help is appreciated. In case someone else needs this in the future, my search is now: index=foo | spath path=systems{} output=x | fields - _raw | fields upTime, type, id, x | mvexpand x | spath input=x | rename admins{} as admins | mvexpand admins | stats count as Count by type, admins I ran into the same issue with two multi-valued fields, and arrived at a different solution - make a copy of the field to preserve the order for an mvfind, then use mvexpand, look up the value in the added field, lookup each field that was NOT expanded, then drop the added field. Home. A weight is assigned to ea Mar 17, 2020 · The result of that query is so confusing 🙂 I would like to have one event per row in table so that users can see the results Apr 10, 2018 · I have an index that contains two fields, sig_names and sig_ids, that can contain multiple values for each. Oct 15, 2010 · I have a situation where I have two multi-valued fields in my data, and i want to call mvexpand on ONE of the fields and leave the second field multi-valued. g. Dec 2, 2024 · Using the below sample search I'm trying to get every possible combination of results between two different sets of data and interested if there are any good techniques for doing so that are relatively efficient. mvexpand: output will be truncated at 1000 results due to. Once expanded, perform a lookup using INTEL to retrieve a field WEIGHT. (search memory usage hit 520 MB) Limit is set as of following [default] max_mem_usage_mb = 512 [mvexpand] max_mem_usage_mb = 512 . Note that there will multiple multivalue fields so i cannot use the mvzip or can I? Feb 21, 2017 · I have nested json events indexed in Splunk. output: Mar 27, 2017 · I figured it out using the case command. Optional arguments limit Syntax: limit=<int> マルチバリューを扱うコマンド4種類をご紹介します。 マルチバリューコマンド makemv mvcombine mvexpand nomv この記事では解説し Please try to keep this discussion focused on the content covered in this documentation topic. mvexpand コマンドは、マルチバリューを複数のデータにまたがって分割するコマンドです。 指定したフィールド以外のフィールドは、分割後のデータにそれぞれ値がコピーされる形となります。 文法は以下の通りです。 mvexpand <変換するフィールド> Dec 19, 2017 · Since you're expanding one field at a time, the total number of rows will become N*N (say you've 3 items, first field will yield 3 rows after mvexpand, with second field still multivalued field in all. For each result, the mvexpand command creates a new result for every multivalue field. 3 and also this option not exist in default configuration Dec 20, 2018 · I have a query where I'm using mvexpand and mvdedup commands to extract some records and calculate related values. mvexpand [limit=<int>] <field> Required arguments field Syntax: <field> Description: The name of the multivalue field that you want to expand. effectively break an event to many events through search), for the outer items like timeStamp i will probably devise some method to Mar 25, 2014 · I currently use mvexpand in order to count the number of unique values in a multi-value field. I have a set of tasks for which I need to calculate their lifetime, either from open to close, or from open to now(). conf but splunk 5. I just had the same issue. Please read this Answers thread for all details about the migration. my_mvexpand(2) macro takes two arguments. " Doing some searching here on answers I came across this previous answer: Feb 26, 2021 · Mvexpand is running into limitations with memory and I cannot adjust it high enough to extract all of the values. of course in the case i have given only four fields. Use the SPL2 expand command on a field that contains an array of values to produce a separate result row for each object in the array. index=_internal source=*splunkd. 3 gives me a "mvexpand output will be truncated due to excessive memory usage". zrlko cnvlm frus omeixny hud bdxh gdzaw uuysmcg dkhi oocz uolws chlrc iwrg emrsg szbjocvip