Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a multivalue to single value from XM...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a multivalue to single value from XML?
cmcdole
Path Finder
03-09-2023
04:58 PM
I need to create a single field named MemberOf from the XML snippet below. It should look like this:
| memberOf |
CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com |
<entry key="memberOf">
<value>
<Map>
<entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
<entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
<entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
<entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
</Map>
</value>
</entry>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-09-2023
05:21 PM
Maybe this run-anywhere example will get you started.
| makeresults
| eval _raw="<entry key=\"memberOf\">
<value>
<Map>
<entry key=\"CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
<entry key=\"CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
<entry key=\"CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
<entry key=\"CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
</Map>
</value>
</entry>"
``` Above is demo data. Delete IRL. ```
| spath output=Map path=entry.value.Map
| spath input=Map output=values path=entry{@key}
| eval key="memberOf"
| table key values
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmcdole
Path Finder
03-10-2023
05:16 AM
Your awesomeness is much appreciated. This works!! Thank you very much!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-10-2023
07:04 AM
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
03-09-2023
05:12 PM
Assuming _raw holds the XML snippet
| spath path=entry.value.Map.entry{@key} output=memberOf
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...
