https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599081#M208580 <LI-CODE lang="markup">| spath output=workstationNumber path=WorkstationMetrics.WorkstationMetricData{@WorkstationID} | spath output=workstationData path=WorkstationMetrics.WorkstationMetricData | fields - _raw | eval workstation=mvzip(workstationNumber, workstationData,"|") | mvexpand workstation | eval workstationNumber=mvindex(split(workstation,"|"),0) | eval workstationData=mvindex(split(workstation,"|"),1) | spath output=sequenceType input=workstationData path=SequenceNumberValue{@TypeCode} | spath output=sequenceNumber input=workstationData path=SequenceNumberValue | eval typevalue=mvzip(sequenceType, sequenceNumber,"|") | mvexpand typevalue | eval sequenceType=mvindex(split(typevalue,"|"),0) | eval sequenceNumber=mvindex(split(typevalue,"|"),1) | fields - workstation workstationData typevalue</LI-CODE> Tue, 24 May 2022 13:27:33 GMT ITWhisperer 2022-05-24T13:27:33Z https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599072#M208579 <P>Hello Splunkers!</P><P>I have an issue in grouping multivalued field after extracting fields from nested xml. The sample is as follows,</P><P>&nbsp;</P><LI-CODE lang="markup"> &lt;WorkstationMetrics xmlns=“xxxxxxxx”&gt; &lt;WorkstationMetricData TypeCode="None" WorkstationID="0"&gt; &lt;SequenceNumberValue Timestamp="2022-05-1" TypeCode="First"&gt;15704&lt;/SequenceNumberValue&gt; &lt;SequenceNumberValue Timestamp="2022-05-1" TypeCode="Last"&gt;15710&lt;/SequenceNumberValue&gt; &lt;/WorkstationMetricData&gt; &lt;WorkstationMetricData TypeCode="Manual" WorkstationID="03"&gt; &lt;SequenceNumberValue Timestamp="2022-05-1" TypeCode="First"&gt;9395&lt;/SequenceNumberValue&gt; &lt;SequenceNumberValue Timestamp="2022-05-1" TypeCode="Last"&gt;9463&lt;/SequenceNumberValue&gt; &lt;/WorkstationMetricData&gt; &lt;WorkstationMetricData TypeCode="Manual" WorkstationID="05"&gt; &lt;SequenceNumberValue Timestamp="2022-05-1" TypeCode="First"&gt;62&lt;/SequenceNumberValue&gt; &lt;SequenceNumberValue Timestamp="2022-05-1" TypeCode="Last"&gt;297&lt;/SequenceNumberValue&gt; &lt;/WorkstationMetricData&gt; &lt;/WorkstationMetrics&gt;</LI-CODE><P>&nbsp;</P><P class="">I tried with following search query to&nbsp; extract field. But the fields extracted are multivalued with <FONT color="#FF0000"><U>varying</U></FONT> <U><FONT color="#FF0000">cardinality</FONT></U> and hence some of my <U><FONT color="#FF0000">mvzip</FONT></U> commands are not working as expected. Please find below my search query for your reference.</P><P>&nbsp;</P><LI-CODE lang="markup">index=... sourcetype=... | spath output=workstationNumber path=WorkstationMetrics.WorkstationMetricData{@WorkstationID} | spath output=sequenceType path=WorkstationMetrics.WorkstationMetricData.SequenceNumberValue{@TypeCode} | spath output=sequenceNumber path=WorkstationMetrics.WorkstationMetricData.SequenceNumberValue | eval consolidate=mvzip(sequenceType,sequenceNumber) | mvexpand consolidate | eval temp=split(consolidate,","), type=mvindex(temp,0), seqno=mvindex(temp,1) | table workstationNumber type seqno</LI-CODE><P>&nbsp;</P><P class="">I expect to present this data in following format, could some one&nbsp;</P><TABLE border="1" width="32.92326537754834%"><TBODY><TR><TD width="10%" height="25px"><STRONG>Sl.no</STRONG></TD><TD width="10%" height="25px"><STRONG>WorkstationID</STRONG></TD><TD width="10%" height="25px"><STRONG>TypeCode</STRONG></TD><TD width="10%" height="25px"><STRONG>SequenceNumberValue</STRONG></TD></TR><TR><TD width="10%" height="47px">1</TD><TD width="10%" height="47px">0</TD><TD width="10%" height="47px">First</TD><TD width="10%" height="47px">15704</TD></TR><TR><TD width="10%" height="47px">2</TD><TD width="10%" height="47px">0</TD><TD width="10%" height="47px">Last</TD><TD width="10%" height="47px">15710</TD></TR></TBODY></TABLE><P class="">Any help in mapping 2 multivalued fields with varying cardinality would resolve this issue. Or do we need think out of box?</P> Tue, 24 May 2022 13:05:05 GMT https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599072#M208579 sundarrajan 2022-05-24T13:05:05Z https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599081#M208580 <LI-CODE lang="markup">| spath output=workstationNumber path=WorkstationMetrics.WorkstationMetricData{@WorkstationID} | spath output=workstationData path=WorkstationMetrics.WorkstationMetricData | fields - _raw | eval workstation=mvzip(workstationNumber, workstationData,"|") | mvexpand workstation | eval workstationNumber=mvindex(split(workstation,"|"),0) | eval workstationData=mvindex(split(workstation,"|"),1) | spath output=sequenceType input=workstationData path=SequenceNumberValue{@TypeCode} | spath output=sequenceNumber input=workstationData path=SequenceNumberValue | eval typevalue=mvzip(sequenceType, sequenceNumber,"|") | mvexpand typevalue | eval sequenceType=mvindex(split(typevalue,"|"),0) | eval sequenceNumber=mvindex(split(typevalue,"|"),1) | fields - workstation workstationData typevalue</LI-CODE> Tue, 24 May 2022 13:27:33 GMT https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599081#M208580 ITWhisperer 2022-05-24T13:27:33Z https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599151#M208590 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;! It even works over a large dataset with multiple lines. A clear out-of box view, of taking the portion of event as a field and piping to rex&nbsp; the relevant field.&nbsp;</P><P>Thanks again!</P> Tue, 24 May 2022 18:45:11 GMT https://community.splunk.com/t5/Splunk-Search/Multivalued-field-mapping-issue-from-an-nested-XML-source/m-p/599151#M208590 sundarrajan 2022-05-24T18:45:11Z