Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a multivalue to single value from XM...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a multivalue to single value from XML?
cmcdole
Path Finder
03-09-2023
04:58 PM
I need to create a single field named MemberOf from the XML snippet below. It should look like this:
| memberOf |
CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com |
<entry key="memberOf">
<value>
<Map>
<entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
<entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
<entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
<entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/>
<entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
</Map>
</value>
</entry>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-09-2023
05:21 PM
Maybe this run-anywhere example will get you started.
| makeresults
| eval _raw="<entry key=\"memberOf\">
<value>
<Map>
<entry key=\"CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
<entry key=\"CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
<entry key=\"CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
<entry key=\"CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com\"/>
<entry key=\"CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
</Map>
</value>
</entry>"
``` Above is demo data. Delete IRL. ```
| spath output=Map path=entry.value.Map
| spath input=Map output=values path=entry{@key}
| eval key="memberOf"
| table key values
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmcdole
Path Finder
03-10-2023
05:16 AM
Your awesomeness is much appreciated. This works!! Thank you very much!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-10-2023
07:04 AM
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
03-09-2023
05:12 PM
Assuming _raw holds the XML snippet
| spath path=entry.value.Map.entry{@key} output=memberOf
Get Updates on the Splunk Community!
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
