I have an xml file in a logging statement that I extracted 3 instances of the value . These values are correctly displayed in a table in separate columns.
The xml file will have 2 or 3 instances of the value: ****
This is the query:
source="messaging-service.log" sourcetype="hidden" "createMessage MsgSource" | xmlkv | rex max_match=0 "\<purchCostReference\>(?P<segment>[^\<]+)" | eval Segment1 = if(isnotnull(mvindex(segment, 0)), "FirstSegment", ""), Segment2 = if(isnotnull(mvindex(segment, 1)), "SecondSegment", ""), Segment3 = if(isnotnull(mvindex(segment, 2)), "ThirdSegment", "") | table purchCostReference, eventType, Segment1, Segment2, Segment3
I tried using the case statement but it only returns the first value, FirstSegment in the table.
sourcetype... | xmlkv | rex max_match=0 "\<purchCostReference\>(?P<segment>[^\<]+)" | eval Segments = case(isnotnull(mvindex(segment, 0)), "FirstSegment", isnotnull(mvindex(segment, 1)), "SecondSegment", isnotnull(mvindex(segment, 2)), "ThirdSegment") | table purchCostReference, eventType, Segments | eventstats list(Segments) as Segments by purchCostReference, eventType | sort purchCostReference, eventType
I would like there to be 1 column, Segment and the FirstSegment, SecondSegment, ThirdSegment be listed in the column.
Is there any Splunk function that allows me to create a group called 'Segment' and add the variables, FirstSegment, SecondSegment, ThirdSegment to it?
