https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256517#M76795 <P>I've an xml wth below structure</P> <PRE><CODE>&lt;root&gt;&lt;stats&gt; &lt;total&gt; &lt;stat pass="12" fail="12"&gt;C&lt;/stat&gt; &lt;stat pass="12" fail="12"&gt;A&lt;/stat&gt; &lt;/total&gt; &lt;tag&gt; &lt;stat pass="2" fail="4"&gt;X&lt;/stat&gt; &lt;stat pass="10 fail="8"&gt;Y&lt;/stat&gt; &lt;/tag&gt; &lt;more-sets/&gt; &lt;/stats&gt;&lt;/root&gt; </CODE></PRE> <P>What I need</P> <PRE><CODE>...| table type fail pass </CODE></PRE> <P>I can get this separately with below search (replace total with tag and so on)</P> <PRE><CODE>base search | table root.stats.total.stat* | rename root.stats.total.stat{@*} as * | eval temp=mvzip('root.stats.total.stat', mvzip(fail, pass, "#"), "#") | table temp | mvexpand temp | rex field=temp "(?&lt;Total&gt;.*)#(?&lt;Fail&gt;.*)#(?&lt;Pass&gt;.*)" | fields Total Fail Pass </CODE></PRE> <P>Is there a way to do it in single search ?</P> Fri, 02 Oct 2015 09:52:38 GMT i2sheri 2015-10-02T09:52:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256517#M76795 <P>I've an xml wth below structure</P> <PRE><CODE>&lt;root&gt;&lt;stats&gt; &lt;total&gt; &lt;stat pass="12" fail="12"&gt;C&lt;/stat&gt; &lt;stat pass="12" fail="12"&gt;A&lt;/stat&gt; &lt;/total&gt; &lt;tag&gt; &lt;stat pass="2" fail="4"&gt;X&lt;/stat&gt; &lt;stat pass="10 fail="8"&gt;Y&lt;/stat&gt; &lt;/tag&gt; &lt;more-sets/&gt; &lt;/stats&gt;&lt;/root&gt; </CODE></PRE> <P>What I need</P> <PRE><CODE>...| table type fail pass </CODE></PRE> <P>I can get this separately with below search (replace total with tag and so on)</P> <PRE><CODE>base search | table root.stats.total.stat* | rename root.stats.total.stat{@*} as * | eval temp=mvzip('root.stats.total.stat', mvzip(fail, pass, "#"), "#") | table temp | mvexpand temp | rex field=temp "(?&lt;Total&gt;.*)#(?&lt;Fail&gt;.*)#(?&lt;Pass&gt;.*)" | fields Total Fail Pass </CODE></PRE> <P>Is there a way to do it in single search ?</P> Fri, 02 Oct 2015 09:52:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256517#M76795 i2sheri 2015-10-02T09:52:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256518#M76796 <P>You current search is already a single search (no subsearch/append etc). Could you be more specific on what you're looking for? May be a sudo query that you expect.</P> Fri, 02 Oct 2015 18:04:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256518#M76796 somesoni2 2015-10-02T18:04:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256519#M76797 <P>I want below from total/tag( or any other tag in ) in one search query<BR /> C 12 12 <BR /> A 12 12<BR /> X 4 8<BR /> Y 8 10<BR /> with out joining above queries</P> Mon, 05 Oct 2015 02:53:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256519#M76797 i2sheri 2015-10-05T02:53:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256520#M76798 <P>I do not understand your question but have you tried <CODE>spath</CODE>?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/spath">http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/spath</A></P> Tue, 06 Oct 2015 13:45:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256520#M76798 woodcock 2015-10-06T13:45:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256521#M76799 <P>Try something like this</P> <PRE><CODE>your base search | rex max_match=0 "\&lt;stat pass=\"(?&lt;Pass&gt;\d+)\" fail=\"(?&lt;Fail&gt;\d+)\"\&gt;(?&lt;Metrics&gt;[^\&lt;]+)\&lt;\/stat\&gt;" | eval temp=mvzip(Metrics,(mvzip(Pass,Fail,"#"),"#") | table temp | mvexpand temp | rex field=temp "(?&lt;Metrics&gt;.*)#(?&lt;Pass&gt;.*)#(?&lt;Fail&gt;.*)" | table Metrics Pass Fail </CODE></PRE> Tue, 06 Oct 2015 14:18:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256521#M76799 somesoni2 2015-10-06T14:18:57Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256522#M76800 <P>I am new to splunk, I will try and let you know</P> Fri, 09 Oct 2015 08:42:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256522#M76800 i2sheri 2015-10-09T08:42:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256523#M76801 <P>Small correction, I cannot edit your answer</P> <PRE><CODE> your base search | rex max_match=0 "\&lt;stat pass=\"(?&lt;Pass&gt;\d+)\" fail=\"(?&lt;Fail&gt;\d+)\"\&gt;(?&lt;Metrics&gt;[^\&lt;]+)\&lt;\/stat\&gt;" | eval temp=mvzip(Metrics,mvzip(Pass,Fail,"#"),"#") | table temp | mvexpand temp | rex field=temp "(?&lt;Metrics&gt;.*)#(?&lt;Pass&gt;.*)#(?&lt;Fail&gt;.*)" | table Metrics Pass Fail </CODE></PRE> Fri, 09 Oct 2015 08:50:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-parse-my-XML-data-in-a-single-search/m-p/256523#M76801 i2sheri 2015-10-09T08:50:59Z