Hello,
I have logs where there are multiple values for two fields. This data looks like this example below for each event.
| dest | user | builtinadmin | 
| computer1 | user1 user2 | true false | 
It comes from this raw data:
<computer N=computer1 D=corp OS=Windows DC=false>
<users>
<user N='user1" builtinadmin="false" />
<user N="user2" builtinadmin="true" />
</users>
</computer>
Is there a way to show the data like this instead where each user correctly correlates to the builinadmin value?
| dest | user | builtinadmin | 
| computer1 | user1 | true | 
| computer1 | user2 | false | 
 
		
		
		
		
		
	
			
		
		
			
					
		Since your data is in XML, here is an alternative to mvzip-split combination, using path option in builtin function spath.
| rename computer{@N} AS dest ``` you already did this in your original search ```
| spath path=computer.users output=users ``` retain complete path as a single XML field ```
| eval users = split(users, "
") ``` for some reason users is single string; turn into multivalue ```
| mvexpand users
| spath input=users ``` extract user attrib from XML after mvexpand ```
| rename user{@N} as user, user{@builtinadmin} as builtinadmin ``` do this AFTER mvexpand, not before ```
| table dest user builtinadmin
Sample data gives
| dest | user | builtinadmin | 
| computer1 | user1 | false | 
| computer1 | user2 | true | 
 
					
				
		
Hey
Not sure if there is any other easy way to do this but you can give this a try:
<user search>
|eval tagged=mvzip(user,builtinadmin) 
| mvexpand tagged 
| makemv tagged delim="," 
| eval user=mvindex(tagged,0) 
| eval builtinadmin=mvindex(tagged,1) 
| table dest user builtinadminlet me know if this helps!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Can you please try this?
YOUR_SEARCH
| eval t=mvzip(user,builtinadmin,"|")
| mvexpand t
| eval user=mvindex(split(t,"|"),0),builtinadmin=mvindex(split(t,"|"),1)  | table dest	user	builtinadmin
My Sample Search :
| makeresults | eval _raw="<computer N=computer1 D=corp OS=Windows DC=false><users><user N=\"user1\" builtinadmin=\"false\" /><user N=\"user2\" builtinadmin=\"true\" /></users></computer>" | spath | rename "computer{@N}" as dest, "computer.users.user{@N}" as user, "computer.users.user{@builtinadmin}" as builtinadmin | table dest	user	builtinadmin | rename comment as "Upto now is for sample data only"
| eval t=mvzip(user,builtinadmin,"|")
| mvexpand t
| eval user=mvindex(split(t,"|"),0),builtinadmin=mvindex(split(t,"|"),1)  | table dest	user	builtinadmin
Thanks
KV
 
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
