nano SIEM
Search Commands

mvexpand

mvexpand

Expand multi-value fields into separate events. Convert arrays into individual rows.

Description

The mvexpand command takes a field containing multiple values (array) and creates a separate event for each value. This is useful for analyzing array fields, expanding lists, or normalizing data.

Syntax

... | mvexpand <field> [limit=<int>]

Required Arguments

field
Field containing multiple values to expand

Optional Arguments

limit
Syntax: limit=<int>
Description: Maximum number of values to expand per event

Examples

Expand port list

* | mvexpand dest_ports

Expand user list

* | mvexpand users limit=10

Expand and analyze

* | mvexpand tags
  | stats count() by tags

Expand IP list

* | mvexpand related_ips
  | dedup related_ips

Usage Notes

Creates rows: Each value becomes a separate event with all other fields duplicated.

Array fields: Only works on fields containing arrays/lists.

Performance: Can significantly increase row count.

  • stats - Aggregate expanded values
  • dedup - Remove duplicate expanded values

lookup

Previous Page

prevalence

Next Page

Edit this page on GitHub
On this page

On this page

mvexpand
Description
Syntax
Required Arguments
Optional Arguments
Examples
Expand port list
Expand user list
Expand and analyze
Expand IP list
Usage Notes
Related Commands