I would like to have a table of items, but getting this to work is not working out for me. I think because the raw event is slightly hard for me to process. This is a shortened version of my raw event:

EDIT: please note that the "& lt;" and "& gt;" markings below are actually without the space, but otherwise the forum would convert them.

[03/29/2017 15:39:00.115 CEST] BLABLA [nl.morenonsense]
<send exit="sendCoolMessage">
  <message>
    <![CDATA[& lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?& gt;
      & lt;SendCoolMsg xmlns="http://www.website.com"& gt;
        & lt;CoolAMsg& gt;
          & lt;?xml version="1.0" encoding="UTF-8"?& gt;
          & lt;Items& gt;
            & lt;Item1& gt;
              & lt;information& gt;numbers and stuff& lt;/information& gt;
              & lt;coolthings& gt;strings& lt;/coolthings& gt;
            & lt;/Item1& gt;
            & lt;Item2& gt;
              & lt;information& gt;numbers2 and stuff2& lt;/information& gt;
              & lt;coolthings& gt;strings2& lt;/coolthings& gt;
            & lt;/Item2& gt;
          & lt;/Items& gt;
        & lt;/CoolAmsg& gt;
      & lt;/SendCoolMsg& gt;
    ]]>
  </message>
</send>

I'd like to end up with a table like this:

       information coolthings
item1              
item2              

I can access the fields (like information) using xmlkv but I haven't been able to get spath to find anything. I have tried using rex to first isolate the inner xml but it seems to only give back results if there is just a string and not any tag for some reason.

search | xmlkv | table _time, information will only give me the information of the first item, I need it to do something multivalued.

search | rex field=_raw "&lt;informatie&gt;(?<Inf>.*)&lt;/informatie&gt;" max_match=0 | mvexpand Inf | table _time, Inf now we have the expanded multivaluedness. But the next step is to use the information in coolthings to filter. If it is strings2 the information shouldn't show up. And I don't know how to get there if I can't use the XML structure. Also the event usually has over 15000 characters (sometimes over 30000), if that is a limit somewhere.