mvexpand gives less results

patilsh · ‎06-19-2017

Now when i use mvexpand

i just get 600 results in statistics, instead of getting 1412 alll the events as below:
So i am not sure what is causing this problem.

KailA · ‎07-26-2018

With the screenshot, we can understand that the problem is maybe from the stats and not the mvexpand.

After the stats, there is 6 events and list_maxsize is by default to 100.
After the mvexpand, 600 events, thats totally normal 🙂

You can change the limits as explain in this answers : https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

KailA

DalJeanis · ‎08-26-2018

Converted to answer, because this is the most likely scenario.

kamlesh_vaghela · ‎06-19-2017

Hi @patilsh,

Your ans is limits of mvexpand command. Please go through below links for more details.

Check Limits section of mvexpand.
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Mvexpand

Check how to manage it with limits.conf.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Limitsconf

I hope it will help you.

Thanks
Kamlesh

DalJeanis · ‎06-19-2017

One possible error source is that | mvexpand Levelin will delete any record where Levelin is null.

Try this ...

index=my_search
| stats list(eventData.txLevelIn) as Levelin by callId
| eval Levelin=coalesce(Levelin,"") 
| mvexpand Levelin

dflodstrom · ‎07-26-2018

I'm not sure why this hasn't been accepted as the answer. It does appear that mvexpand negates any results where the value of the target field is null. I read your answer before looking at your query and ended up replacing my ... | eval filed=if(isnull(field), ... with the coalesce you used. Much appreciated.

mvexpand gives less results

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!