https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591824#M205996 <P>Hello,&nbsp;</P> <P>I have logs where there are multiple values for two fields. This data looks like this example below for each event.</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">dest</TD> <TD width="33.333333333333336%" height="25px">user</TD> <TD width="33.333333333333336%" height="25px">builtinadmin</TD> </TR> <TR> <TD width="33.333333333333336%" height="77px">computer1</TD> <TD width="33.333333333333336%" height="77px">user1<BR />user2</TD> <TD width="33.333333333333336%" height="77px"> <P>true</P> <P>false</P> </TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">&nbsp;</TD> <TD width="33.333333333333336%" height="25px">&nbsp;</TD> <TD width="33.333333333333336%" height="25px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>It comes from this raw data:</P> <LI-CODE lang="markup">&lt;computer N=computer1 D=corp OS=Windows DC=false&gt; &lt;users&gt; &lt;user N='user1" builtinadmin="false" /&gt; &lt;user N="user2" builtinadmin="true" /&gt; &lt;/users&gt; &lt;/computer&gt;</LI-CODE> <P>&nbsp;</P> <P>Is there a way to show the data like this instead where each user correctly correlates to the builinadmin value?</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">dest</TD> <TD width="33.333333333333336%" height="25px">user</TD> <TD width="33.333333333333336%" height="25px">builtinadmin</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">computer1</TD> <TD width="33.333333333333336%" height="25px">user1</TD> <TD width="33.333333333333336%" height="25px">true</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">computer1</TD> <TD width="33.333333333333336%" height="25px">user2</TD> <TD width="33.333333333333336%" height="25px">false</TD> </TR> </TBODY> </TABLE> Fri, 01 Apr 2022 15:38:36 GMT gnostic_device 2022-04-01T15:38:36Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591824#M205996 <P>Hello,&nbsp;</P> <P>I have logs where there are multiple values for two fields. This data looks like this example below for each event.</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">dest</TD> <TD width="33.333333333333336%" height="25px">user</TD> <TD width="33.333333333333336%" height="25px">builtinadmin</TD> </TR> <TR> <TD width="33.333333333333336%" height="77px">computer1</TD> <TD width="33.333333333333336%" height="77px">user1<BR />user2</TD> <TD width="33.333333333333336%" height="77px"> <P>true</P> <P>false</P> </TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">&nbsp;</TD> <TD width="33.333333333333336%" height="25px">&nbsp;</TD> <TD width="33.333333333333336%" height="25px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>It comes from this raw data:</P> <LI-CODE lang="markup">&lt;computer N=computer1 D=corp OS=Windows DC=false&gt; &lt;users&gt; &lt;user N='user1" builtinadmin="false" /&gt; &lt;user N="user2" builtinadmin="true" /&gt; &lt;/users&gt; &lt;/computer&gt;</LI-CODE> <P>&nbsp;</P> <P>Is there a way to show the data like this instead where each user correctly correlates to the builinadmin value?</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">dest</TD> <TD width="33.333333333333336%" height="25px">user</TD> <TD width="33.333333333333336%" height="25px">builtinadmin</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">computer1</TD> <TD width="33.333333333333336%" height="25px">user1</TD> <TD width="33.333333333333336%" height="25px">true</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">computer1</TD> <TD width="33.333333333333336%" height="25px">user2</TD> <TD width="33.333333333333336%" height="25px">false</TD> </TR> </TBODY> </TABLE> Fri, 01 Apr 2022 15:38:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591824#M205996 gnostic_device 2022-04-01T15:38:36Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591828#M205997 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244478">@gnostic_device</a>&nbsp;</P><P>Can you please try this?</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH | eval t=mvzip(user,builtinadmin,"|") | mvexpand t | eval user=mvindex(split(t,"|"),0),builtinadmin=mvindex(split(t,"|"),1) | table dest user builtinadmin</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;computer N=computer1 D=corp OS=Windows DC=false&gt;&lt;users&gt;&lt;user N=\"user1\" builtinadmin=\"false\" /&gt;&lt;user N=\"user2\" builtinadmin=\"true\" /&gt;&lt;/users&gt;&lt;/computer&gt;" | spath | rename "computer{@N}" as dest, "computer.users.user{@N}" as user, "computer.users.user{@builtinadmin}" as builtinadmin | table dest user builtinadmin | rename comment as "Upto now is for sample data only" | eval t=mvzip(user,builtinadmin,"|") | mvexpand t | eval user=mvindex(split(t,"|"),0),builtinadmin=mvindex(split(t,"|"),1) | table dest user builtinadmin</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-03-31 at 11.19.09 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18881i88794C3070919564/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-03-31 at 11.19.09 PM.png" alt="Screenshot 2022-03-31 at 11.19.09 PM.png" /></span></P><P>&nbsp;</P><P>Thanks<BR />KV<BR /> <BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Thu, 31 Mar 2022 17:49:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591828#M205997 kamlesh_vaghela 2022-03-31T17:49:22Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591829#M205998 <P>Hey</P><P>Not sure if there is any other easy way to do this but you can give this a try:</P><LI-CODE lang="markup">&lt;user search&gt; |eval tagged=mvzip(user,builtinadmin) | mvexpand tagged | makemv tagged delim="," | eval user=mvindex(tagged,0) | eval builtinadmin=mvindex(tagged,1) | table dest user builtinadmin</LI-CODE><P>let me know if this helps!</P> Thu, 31 Mar 2022 17:49:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591829#M205998 mayurr98 2022-03-31T17:49:57Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591921#M206047 <P>Since your data is in XML, here is an alternative to mvzip-split combination, using path option in builtin function&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath" target="_blank" rel="noopener">spath</A>.</P><P>&nbsp;</P><LI-CODE lang="markup">| rename computer{@N} AS dest ``` you already did this in your original search ``` | spath path=computer.users output=users ``` retain complete path as a single XML field ``` | eval users = split(users, " ") ``` for some reason users is single string; turn into multivalue ``` | mvexpand users | spath input=users ``` extract user attrib from XML after mvexpand ``` | rename user{@N} as user, user{@builtinadmin} as builtinadmin ``` do this AFTER mvexpand, not before ``` | table dest user builtinadmin</LI-CODE><P>&nbsp;</P><P>Sample data gives</P><TABLE><TBODY><TR><TD>dest</TD><TD>user</TD><TD>builtinadmin</TD></TR><TR><TD>computer1</TD><TD>user1</TD><TD>false</TD></TR><TR><TD>computer1</TD><TD>user2</TD><TD>true</TD></TR></TBODY></TABLE> Fri, 01 Apr 2022 09:49:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-to-multi-value-fields-from-one-event/m-p/591921#M206047 yuanliu 2022-04-01T09:49:24Z