https://community.splunk.com/t5/Splunk-Search/Multi-value-event-merging-and-breaking/m-p/154495#M43446 <P>Hi there,</P> <P>I am trying working out a scenario with Splunk and having a hard time on it.</P> <P>I have got a XML which has the order number in it. I need to do everything at search time. </P> <P>Example XPATH: //OrderNumber (the number of occurrence is one only in whole XML)<BR /> Then I am pulling out all the sub orders inside this order by using XPATH= //OrderNumber/SubOrderNumber ( this is dynamic - which means it can have more than 1 occurrences)<BR /> Then I am also looking for there statuses in the XML against the SubOrderNumber using XPATH= //OrderNumber/SubOrderNumberSTATUS ( this is dynamic - which means it can have more than 1 occurrences but it may be less or more than the sub order numbers)</P> <P>Now the problem is that all these fields are pulled out quite well but they all are in single event.</P> <P>Results:-</P> <HR /> <H2>Event 1:</H2> <PRE><CODE>OrderNumber SubOrderNumber SubOrderNumberStatus 12345 12345-1 Open 12345-2 Closed 12345-3 </CODE></PRE> <P>But I want to see the output as individual events , something like this:</P> <PRE><CODE>OrderNumber SubOrderNumber SubOrderNumberStatus 12345 12345-1 Open 12345 12345-2 Closed 12345 12345-3 {leave it blank} </CODE></PRE> <P>The above should be 3 different events.</P> <P>I tried using the below query which works fine if all the fields have some data :-</P> <P>| fields OrderNumber SubOrderNumber SubOrderNumberStatus<BR /> |eval fields=mvzip(OrderNumber,SubOrderNumber) | mvexpand fields | eval temp=split(fields,",") | eval OrderNumber_new =mvindex(temp,0)|eval SubOrderNumber_new =mvindex(temp,1)| table OrderNumber_new, SubOrderNumber_new</P> <P>Can anyone please provide some pointer around it.</P> <P>Thanks in advance.</P> Mon, 28 Sep 2020 15:54:58 GMT ramanjain1983 2020-09-28T15:54:58Z https://community.splunk.com/t5/Splunk-Search/Multi-value-event-merging-and-breaking/m-p/154495#M43446 <P>Hi there,</P> <P>I am trying working out a scenario with Splunk and having a hard time on it.</P> <P>I have got a XML which has the order number in it. I need to do everything at search time. </P> <P>Example XPATH: //OrderNumber (the number of occurrence is one only in whole XML)<BR /> Then I am pulling out all the sub orders inside this order by using XPATH= //OrderNumber/SubOrderNumber ( this is dynamic - which means it can have more than 1 occurrences)<BR /> Then I am also looking for there statuses in the XML against the SubOrderNumber using XPATH= //OrderNumber/SubOrderNumberSTATUS ( this is dynamic - which means it can have more than 1 occurrences but it may be less or more than the sub order numbers)</P> <P>Now the problem is that all these fields are pulled out quite well but they all are in single event.</P> <P>Results:-</P> <HR /> <H2>Event 1:</H2> <PRE><CODE>OrderNumber SubOrderNumber SubOrderNumberStatus 12345 12345-1 Open 12345-2 Closed 12345-3 </CODE></PRE> <P>But I want to see the output as individual events , something like this:</P> <PRE><CODE>OrderNumber SubOrderNumber SubOrderNumberStatus 12345 12345-1 Open 12345 12345-2 Closed 12345 12345-3 {leave it blank} </CODE></PRE> <P>The above should be 3 different events.</P> <P>I tried using the below query which works fine if all the fields have some data :-</P> <P>| fields OrderNumber SubOrderNumber SubOrderNumberStatus<BR /> |eval fields=mvzip(OrderNumber,SubOrderNumber) | mvexpand fields | eval temp=split(fields,",") | eval OrderNumber_new =mvindex(temp,0)|eval SubOrderNumber_new =mvindex(temp,1)| table OrderNumber_new, SubOrderNumber_new</P> <P>Can anyone please provide some pointer around it.</P> <P>Thanks in advance.</P> Mon, 28 Sep 2020 15:54:58 GMT https://community.splunk.com/t5/Splunk-Search/Multi-value-event-merging-and-breaking/m-p/154495#M43446 ramanjain1983 2020-09-28T15:54:58Z https://community.splunk.com/t5/Splunk-Search/Multi-value-event-merging-and-breaking/m-p/154496#M43447 <P>Easy this one!<BR /> I was unnecessarily complicating it by using mvzip. </P> Wed, 19 Feb 2014 00:17:54 GMT https://community.splunk.com/t5/Splunk-Search/Multi-value-event-merging-and-breaking/m-p/154496#M43447 ramanjain1983 2014-02-19T00:17:54Z