Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a multivalue to single value from XML?

cmcdole
Path Finder
‎03-09-2023 04:58 PM

I need to create a single field named MemberOf from the XML snippet below.  It should look like this:

memberOf

CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com

CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com

 

 

 

 

<entry key="memberOf">
                            <value>
                              <Map>
                                <entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                              </Map>
                            </value>
                          </entry>

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 05:21 PM

Maybe this run-anywhere example will get you started.

| makeresults 
| eval _raw="<entry key=\"memberOf\">
<value>
  <Map>
    <entry key=\"CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
 </Map>
</value>
</entry>" 
``` Above is demo data.  Delete IRL.  ```
| spath output=Map path=entry.value.Map
| spath input=Map output=values path=entry{@key}
| eval key="memberOf"
| table key values
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cmcdole
Path Finder
‎03-10-2023 05:16 AM

Your awesomeness is much appreciated.  This works!!  Thank you very much!!

Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2023 07:04 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 05:12 PM

Assuming _raw holds the XML snippet

| spath path=entry.value.Map.entry{@key} output=memberOf
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...