https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273813#M82597 <P>Can you provide sample raw events, to see how the actual data looks? Mask any sensitive data while posting.</P> Fri, 27 May 2016 14:56:45 GMT somesoni2 2016-05-27T14:56:45Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273806#M82590 <P>I am using mvexpand for getting multiple fields from an XML and grouping them. Here is my search: </P> <PRE><CODE>spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager | spath output=Received path=env:Envelope.env:Body.dp:response.dp:status.Messages | spath output=Sent path=env:Envelope.env:Body.dp:response.dp:status.MQQMstatus.Sent | fields Manager,Received,Sent | eval a=mvzip(Manager,Sent,":") | mvexpand a|eval a=split(a,":")|eval Manager=mvindex(a,0) | eval Sent=mvindex(a,1) | eval z=mvzip(Manager,Received,":") | mvexpand z|eval z=split(z,":")|eval Manager=mvindex(z,0) | eval Received=mvindex(z,1) |stats max(Sent) as "Sent ", max(Received) as "Received" by Manager </CODE></PRE> <P>When I run this search, it gives me values. However, the value for <STRONG>Sent</STRONG> is right, but <STRONG>Received</STRONG> is wrong. When I reverse the order of the eval and stats, the value in received is right and value of sent is wrong. </P> <P>Am I using the mvexpand wrong? How do I make this search work? </P> Thu, 26 May 2016 18:34:28 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273806#M82590 sushmitha_mj 2016-05-26T18:34:28Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273807#M82591 <P>Please share some sample data.</P> Thu, 26 May 2016 19:39:55 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273807#M82591 richgalloway 2016-05-26T19:39:55Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273808#M82592 <P>In my Case we have 5 fields. Sample data as follows: <BR /> Values are the values in the field, count is the number of rows/entries of data. </P> <OL> <LI><P>Field: <STRONG>a</STRONG> <BR /> Values Count<BR /><BR /> 0 ------ 96 <BR /> 250 ------ 96<BR /><BR /> Mgr_CA ------ 96<BR /> Mgr_DO ------ 96 </P></LI> <LI><P>Field: <STRONG>Manager</STRONG></P></LI> </OL> <P>Values Count<BR /><BR /> Mgr_CA ------ 192<BR /><BR /> Mgr_DO ------ 192</P> <OL> <LI><P>Field: <STRONG>Recieved</STRONG><BR /> Values Count<BR /><BR /> 0 ------ 96<BR /><BR /> 251 ------ 96</P> <OL> <LI>Field: <STRONG>Sent</STRONG> Values Count<BR /> 0 ------ 192<BR /> 251 ------ 192</LI> <LI>Field : <STRONG>z</STRONG> Values Count<BR /> 0 ------ 96<BR /> 251 ------ 96<BR /> Mgr_CA ------ 96<BR /> Mgr_DO ------ 96</LI> </OL></LI> </OL> Tue, 29 Sep 2020 09:49:05 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273808#M82592 sushmitha_mj 2020-09-29T09:49:05Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273809#M82593 <P>Try this</P> <PRE><CODE>spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager | spath output=Received path=env:Envelope.env:Body.dp:response.dp:status.Messages | spath output=Sent path=env:Envelope.env:Body.dp:response.dp:status.MQQMstatus.Sent | fields Manager,Received,Sent | eval a=mvzip(Manager,mvzip(Sent, Received, ":"), ":") | mvexpand a|eval a=split(a,":")|eval Manager=mvindex(a,0) | eval Sent=mvindex(a,1) | eval Received=mvindex(z,2) |stats max(Sent) as "Sent ", max(Received) as "Received" by Manager </CODE></PRE> Thu, 26 May 2016 20:40:02 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273809#M82593 sundareshr 2016-05-26T20:40:02Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273810#M82594 <P>Not sure you need the mvexpand at all. Just give this a try</P> <PRE><CODE>spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager | spath output=Received path=env:Envelope.env:Body.dp:response.dp:status.Messages | spath output=Sent path=env:Envelope.env:Body.dp:response.dp:status.MQQMstatus.Sent |stats max(Sent) as "Sent ", max(Received) as "Received" by Manager </CODE></PRE> Thu, 26 May 2016 21:13:07 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273810#M82594 somesoni2 2016-05-26T21:13:07Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273811#M82595 <P>Thanks. <BR /> I understand the logic you are trying to use, but I am getting an error<BR /> "Error in 'eval' command: The expression is malformed. Expected )." on this line <BR /> mvzip(Manager,mvzip(Sent, Received, ":"), ":") </P> Fri, 27 May 2016 14:49:43 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273811#M82595 sushmitha_mj 2016-05-27T14:49:43Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273812#M82596 <P>Thanks...<BR /> This query works but the output it is giving is wrong. <BR /> It is showing 250 for both managers and for both sent and received. It should have been zero for one manager and 250 for the other manager. It is probably getting the max on both, not grouping properly </P> Fri, 27 May 2016 14:52:08 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273812#M82596 sushmitha_mj 2016-05-27T14:52:08Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273813#M82597 <P>Can you provide sample raw events, to see how the actual data looks? Mask any sensitive data while posting.</P> Fri, 27 May 2016 14:56:45 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273813#M82597 somesoni2 2016-05-27T14:56:45Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273814#M82598 <P>In my Case we have 5 fields. Sample data as follows: (Based on my initial query using 2 mvzip "a" and "z" ) <BR /> Values are the values in the field, count is the number of rows/entries of data.</P> <P>Field: a <BR /> Values Count <BR /> 0 ------ 96 <BR /> 251 ------ 96 <BR /> Mgr_CA ------ 96<BR /> Mgr_DO ------ 96</P> <P>Field: Manager</P> <P>Values Count <BR /> Mgr_CA ------ 192 <BR /> Mgr_DO ------ 192</P> <P>Field: Recieved<BR /> Values Count <BR /> 0 ------ 96 <BR /> 251 ------ 96</P> <P>Field: Sent<BR /> Values Count <BR /> 0 ------ 192 <BR /> 251 ------ 192</P> <P>Field : z<BR /> Values Count <BR /> 0 ------ 96 <BR /> 251 ------ 96 <BR /> Mgr_CA ------ 96 <BR /> Mgr_DO ------ 96</P> <P>The output I get for your query without using mv command is <BR /> Manager --------- Sent --------- Received <BR /> Mgr_CA --------- 251 --------- 251<BR /> Mgr_DO --------- 251 --------- 251</P> <P>What it actually should be : </P> <P>Manager --------- Sent --------- Received <BR /> Mgr_CA --------- 0 --------- 0<BR /> Mgr_DO --------- 251 --------- 251</P> Tue, 29 Sep 2020 09:49:29 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273814#M82598 sushmitha_mj 2020-09-29T09:49:29Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273815#M82599 <P>Would be better if you just provide a sample raw data from below query. How many (OR whether) mv operations are required will depend on that.</P> <PRE><CODE>spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager </CODE></PRE> Fri, 27 May 2016 18:11:05 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273815#M82599 somesoni2 2016-05-27T18:11:05Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273816#M82600 <P>This is the raw data. I have just put entered it manually. <BR /> because I could attach screenshots</P> Fri, 27 May 2016 19:54:10 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273816#M82600 sushmitha_mj 2016-05-27T19:54:10Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273817#M82601 <P>Give this a try</P> <PRE><CODE>your base search | spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager | spath output=Received path=env:Envelope.env:Body.dp:response.dp:status.Messages | spath output=Sent path=env:Envelope.env:Body.dp:response.dp:status.MQQMstatus.Sent | fields Manager,Received,Sent | eval temp=mvzip(mvzip(Manager,Sent,"#"),Received,"#") | table temp | mvexpand temp | rex field=temp "(?&lt;Manager&gt;.+)#(?&lt;Sent&gt;.+)#(?&lt;Received&gt;.+)"| stats max(Sent) as "Sent ", max(Received) as "Received" by Manager </CODE></PRE> Fri, 27 May 2016 20:03:37 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273817#M82601 somesoni2 2016-05-27T20:03:37Z https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273818#M82602 <P>Wow... It worked... <BR /> Thank you so much.. </P> Mon, 30 May 2016 20:24:54 GMT https://community.splunk.com/t5/Splunk-Search/Using-mvexpand-to-get-multiple-fields-from-XML-data-why-am-I/m-p/273818#M82602 sushmitha_mj 2016-05-30T20:24:54Z