mvexpand
Description
Expands the values of a multivalue field into separate events, creating one event for each value in the multivalue field.
Syntax
mvexpand <field> [limit=<int>]
Mandatory Arguments
| Parameter | Syntax | Description |
|---|---|---|
field | <field> | The field for which the values are expanded into separate events. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
limit | limit=<int> | Not limited. | The number of the first specified field values to be expanded. |
Examples
Example 1
In this example, first stats values(items) as order_items collects unique values of the items field into a multivalue field order_items. Then mvexpand expands this field into separate events, one for each item.
source orders-*
| stats values(items) as order_items
| order_items |
|---|
| Chicken Caesar Roll Breakfast Burrito Sweet and Sour Chicken Fish and Chips Hot Dog Gyros Asian Salad |
This technique is convenient when you need to convert a list of items into a flat set of rows for further filtering or aggregation.
| mvexpand order_items
The result of executing the query may be the following table:
| order_items |
|---|
| Caesar roll with chicken |
| Breakfast burrito |
| Sweet and sour chicken |
| Fish and Chips |
| Hot Dog |
| Gyros |
| Asian Salad |
Example 2
In this example, the parameter limit=3 keeps only the first three values of the multivalue field order_items.
... | mvexpand order_items limit=3
The result of executing the query may be the following table:
| order_items |
|---|
| Caesar roll with chicken |
| Breakfast burrito |
| Sweet and sour chicken |
Example 3
In this example, mvexpand action converts the multivalue field action into separate rows, after which stats count by user, action counts the number of events for each user and action pair. The sort command sorts the results in descending order by count.
... | mvexpand action
| stats count by user, action
| sort -count
Example input data:
| _time | host | user | action |
|---|---|---|---|
| 2025-05-30 13:47:08 | ws-01 | denisov | locked-out-user-account credential-validated enabled-user-account |
| 2025-05-30 13:49:08 | ws-01 | abramova | added-user-account credential-validated locked-out-user-account |
| 2025-05-30 13:50:08 | ws-02 | popov | credential-validated |
The result of executing the query may be the following table:
| user | action | count |
|---|---|---|
| denisov | credential-validated | 110 |
| abramova | credential-validated | 101 |
| popov | credential-validated | 98 |
| denisov | locked-out-user-account | 95 |
| abramova | locked-out-user-account | 89 |
| denisov | enabled-user-account | 34 |
| abramova | added-user-account | 22 |