topic Why does xmlkv only select last field? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-does-xmlkv-only-select-last-field/m-p/636347#M221000 <P>Hello fellow splunkers,</P> <P>I'm posting here because I would gladly have help with the following query.</P> <P>Let's say I have an XML like this one</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;?xml version='1.0' encoding='UTF-8'?&gt; &lt;rootElement&gt; &lt;group&gt; &lt;groupItemKey&gt;item1&lt;/groupItemKey&gt; &lt;groupItemValue&gt;0&lt;/groupItemValue&gt; &lt;/group&gt; &lt;group&gt; &lt;groupItemKey&gt;item2&lt;/groupItemKey&gt; &lt;groupItemValue&gt;1&lt;/groupItemValue&gt; &lt;/group&gt; &lt;group&gt; &lt;groupItemKey&gt;item3&lt;/groupItemKey&gt; &lt;groupItemValue&gt;2&lt;/groupItemValue&gt; &lt;/group&gt; ... &lt;group&gt; &lt;groupItemKey&gt;itemN&lt;/groupItemKey&gt; &lt;groupItemValue&gt;3&lt;/groupItemValue&gt; &lt;/group&gt; &lt;/rootElement&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>And I want to extract in a table like this all the possible combinations I have of groupItemKey and groupItemValue</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">GroupItemKey</TD> <TD width="50%">GroupItemValue</TD> </TR> <TR> <TD width="50%">item1</TD> <TD width="50%"> <P>0</P> </TD> </TR> <TR> <TD width="50%">item2</TD> <TD width="50%">1</TD> </TR> <TR> <TD>item3</TD> <TD>2</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I tried with the following query</P> <P>&nbsp;</P> <P>| makeresults<BR />| eval _raw="&lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;rootElement&gt;&lt;group&gt;&lt;groupItemKey&gt;item1&lt;/groupItemKey&gt;&lt;groupItemValue&gt;0&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;item2&lt;/groupItemKey&gt;&lt;groupItemValue&gt;1&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;item3&lt;/groupItemKey&gt;&lt;groupItemValue&gt;2&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;itemN&lt;/groupItemKey&gt;&lt;groupItemValue&gt;3&lt;/groupItemValue&gt;&lt;/group&gt;&lt;/rootElement&gt;"<BR />| xmlkv<BR />| table groupItemKey, groupItemValue</P> <P>&nbsp;</P> <P>But seems like that only the item with groupItemKey "itemN" gets considered when outputting the results on the table, same goes with regex</P> <P>&nbsp;</P> <P>Any ideas how to make it work so that splunk takes all the groupItemKey elements?</P> <P>Thanks a lot!</P> Tue, 28 Mar 2023 16:24:02 GMT salv1 2023-03-28T16:24:02Z Why does xmlkv only select last field? https://community.splunk.com/t5/Splunk-Search/Why-does-xmlkv-only-select-last-field/m-p/636347#M221000 <P>Hello fellow splunkers,</P> <P>I'm posting here because I would gladly have help with the following query.</P> <P>Let's say I have an XML like this one</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;?xml version='1.0' encoding='UTF-8'?&gt; &lt;rootElement&gt; &lt;group&gt; &lt;groupItemKey&gt;item1&lt;/groupItemKey&gt; &lt;groupItemValue&gt;0&lt;/groupItemValue&gt; &lt;/group&gt; &lt;group&gt; &lt;groupItemKey&gt;item2&lt;/groupItemKey&gt; &lt;groupItemValue&gt;1&lt;/groupItemValue&gt; &lt;/group&gt; &lt;group&gt; &lt;groupItemKey&gt;item3&lt;/groupItemKey&gt; &lt;groupItemValue&gt;2&lt;/groupItemValue&gt; &lt;/group&gt; ... &lt;group&gt; &lt;groupItemKey&gt;itemN&lt;/groupItemKey&gt; &lt;groupItemValue&gt;3&lt;/groupItemValue&gt; &lt;/group&gt; &lt;/rootElement&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>And I want to extract in a table like this all the possible combinations I have of groupItemKey and groupItemValue</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">GroupItemKey</TD> <TD width="50%">GroupItemValue</TD> </TR> <TR> <TD width="50%">item1</TD> <TD width="50%"> <P>0</P> </TD> </TR> <TR> <TD width="50%">item2</TD> <TD width="50%">1</TD> </TR> <TR> <TD>item3</TD> <TD>2</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I tried with the following query</P> <P>&nbsp;</P> <P>| makeresults<BR />| eval _raw="&lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;rootElement&gt;&lt;group&gt;&lt;groupItemKey&gt;item1&lt;/groupItemKey&gt;&lt;groupItemValue&gt;0&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;item2&lt;/groupItemKey&gt;&lt;groupItemValue&gt;1&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;item3&lt;/groupItemKey&gt;&lt;groupItemValue&gt;2&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;itemN&lt;/groupItemKey&gt;&lt;groupItemValue&gt;3&lt;/groupItemValue&gt;&lt;/group&gt;&lt;/rootElement&gt;"<BR />| xmlkv<BR />| table groupItemKey, groupItemValue</P> <P>&nbsp;</P> <P>But seems like that only the item with groupItemKey "itemN" gets considered when outputting the results on the table, same goes with regex</P> <P>&nbsp;</P> <P>Any ideas how to make it work so that splunk takes all the groupItemKey elements?</P> <P>Thanks a lot!</P> Tue, 28 Mar 2023 16:24:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-xmlkv-only-select-last-field/m-p/636347#M221000 salv1 2023-03-28T16:24:02Z Re: xmlkv only selects last field https://community.splunk.com/t5/Splunk-Search/Why-does-xmlkv-only-select-last-field/m-p/636352#M221002 <P>spath works with XML (as well as JSON)</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;rootElement&gt;&lt;group&gt;&lt;groupItemKey&gt;item1&lt;/groupItemKey&gt;&lt;groupItemValue&gt;0&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;item2&lt;/groupItemKey&gt;&lt;groupItemValue&gt;1&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;item3&lt;/groupItemKey&gt;&lt;groupItemValue&gt;2&lt;/groupItemValue&gt;&lt;/group&gt;&lt;group&gt;&lt;groupItemKey&gt;itemN&lt;/groupItemKey&gt;&lt;groupItemValue&gt;3&lt;/groupItemValue&gt;&lt;/group&gt;&lt;/rootElement&gt;" | spath</LI-CODE> Tue, 28 Mar 2023 15:50:41 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-xmlkv-only-select-last-field/m-p/636352#M221002 ITWhisperer 2023-03-28T15:50:41Z