https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572244#M199442 <P>Hi sir,</P><P>Thank you so much for the reply.. It works great..</P><P>Is there any way that i can merge error and failed into a single column called status? So that i can represent status in a single column?</P> Mon, 25 Oct 2021 11:24:33 GMT anooshac 2021-10-25T11:24:33Z https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572188#M199423 <DIV class=""><DIV class=""><P>Hi all, I have a xml file as below.</P><P><SPAN>&lt;?xml version="1.0" encoding="UTF-8"?&gt;</SPAN></P><P><SPAN>&lt;suite name="abc" timestamp="20.08.2021 15:47:20" hostname="kkt2si" tests="5" failures="1" errors="1" time="0"&gt;</SPAN></P><P><SPAN>&lt;case name="a" time="626" classname="x"&gt;</SPAN></P><P><SPAN>&lt;failure message="failed" /&gt; &lt;/case&gt;</SPAN></P><P><SPAN>&lt;case name="b" time="427" classname="x" /&gt; </SPAN></P><P><SPAN>&lt;case name="C" time="616" classname="y" /&gt; </SPAN></P><P><SPAN>&lt;case name="d" time="626" classname="y"&gt; </SPAN></P><P><SPAN>&lt;error message="error" /&gt; &lt;/case&gt; </SPAN></P><P><SPAN>&lt;case name="e" time="621" classname="x" /&gt; &lt;/suite&gt;</SPAN></P><P>&nbsp;</P><P><SPAN>The cases which doesnt have failure or errors are the ones which are passed. I am able to make a list of cases but i am confused how to add a column of the status. Anyone know the solution for this?</SPAN></P><P><SPAN>|spath output=cases path=suite.case{@name}| table cases</SPAN></P><P><SPAN>This is how i extracted the cases. I want to add a column which shows the status. Please suggest some answers.</SPAN></P><P>&nbsp;</P></DIV></DIV> Mon, 25 Oct 2021 05:32:53 GMT https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572188#M199423 anooshac 2021-10-25T05:32:53Z https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572230#M199436 <P>You could try something like this - expand the empty cases to the full XML syntax, then extract the cases into separate events, then extract the attributes from each event</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; &lt;suite name=\"abc\" timestamp=\"20.08.2021 15:47:20\" hostname=\"kkt2si\" tests=\"5\" failures=\"1\" errors=\"1\" time=\"0\"&gt; &lt;case name=\"a\" time=\"626\" classname=\"x\"&gt; &lt;failure message=\"failed\" /&gt; &lt;/case&gt; &lt;case name=\"b\" time=\"427\" classname=\"x\" /&gt; &lt;case name=\"C\" time=\"616\" classname=\"y\" /&gt; &lt;case name=\"d\" time=\"626\" classname=\"y\"&gt; &lt;error message=\"error\" /&gt; &lt;/case&gt; &lt;case name=\"e\" time=\"621\" classname=\"x\" /&gt; &lt;/suite&gt;" | rex mode=sed max_match=0 "s/(?P&lt;case&gt;\&lt;case )(?P&lt;attr&gt;[^\/\&gt;]+)\/\&gt;/\1\2&gt;&lt;\/case&gt;/g" | rex max_match=0 "(?ms)(?&lt;case&gt;\&lt;case .+?\&lt;\/case\&gt;)" | mvexpand case | spath input=case output=name path=case{@name} | spath input=case output=failed path=case.failure{@message} | spath input=case output=error path=case.error{@message}</LI-CODE> Mon, 25 Oct 2021 10:25:32 GMT https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572230#M199436 ITWhisperer 2021-10-25T10:25:32Z https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572244#M199442 <P>Hi sir,</P><P>Thank you so much for the reply.. It works great..</P><P>Is there any way that i can merge error and failed into a single column called status? So that i can represent status in a single column?</P> Mon, 25 Oct 2021 11:24:33 GMT https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572244#M199442 anooshac 2021-10-25T11:24:33Z https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572245#M199443 <LI-CODE lang="markup">| eval status=coalesce(failed, error)</LI-CODE> Mon, 25 Oct 2021 11:30:26 GMT https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572245#M199443 ITWhisperer 2021-10-25T11:30:26Z https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572254#M199447 <P>yes.. Got it..&nbsp; Thank you so much..</P> Mon, 25 Oct 2021 12:05:51 GMT https://community.splunk.com/t5/Splunk-Search/XML-field-extraction/m-p/572254#M199447 anooshac 2021-10-25T12:05:51Z