Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show multiple values for a single field in splunk

vikramphilar
New Member
‎06-14-2016 11:44 PM

My raw data consists of xml data as below: 

<fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</quantityExpression><securityId>ABCD</securityId><fundTemplateName>FUND2</fundTemplateName><quantityExpression>1234</quantityExpression><securityId>EFGH</securityId>

Can someone help me get the below output?

FUND1 1600 ABCD
FUND2 1234 EFGH

I am using the below search, but this brings up the last row alone whereas I need both the rows shown above to be printed in my result: 

"fundTemplateName" source="file location" | xmlkv | table fundTemplateName, quantityExpression, securityId

Please help/advise.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎06-15-2016 04:25 AM

Hi, try this:

| stats count | fields - count
| eval raw = "<fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</quantityExpression><securityId>ABCD</securityId><fundTemplateName>FUND2</fundTemplateName><quantityExpression>1234</quantityExpression><securityId>EFGH</securityId>
"
| spath input=raw
| table fundTemplateName, quantityExpression, securityId

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎06-15-2016 04:25 AM

Hi, try this:

| stats count | fields - count
| eval raw = "<fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</quantityExpression><securityId>ABCD</securityId><fundTemplateName>FUND2</fundTemplateName><quantityExpression>1234</quantityExpression><securityId>EFGH</securityId>
"
| spath input=raw
| table fundTemplateName, quantityExpression, securityId
0 Karma
Reply
Solved! Jump to solution

vikramphilar
New Member
‎06-15-2016 04:00 PM

Thank you! However, since I am monitoring a log file, I wouldn't know what my raw data would look like. In that case, what would be my input to the eval function? Apologies, I am new to splunk and still learning some of the tricks!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎06-16-2016 12:17 AM

Sorry for not making it clear but as somesoni2 said, simply replace the first two lines with:

"fundTemplateName" source="file location"

I used the stats and eval to create a sample data to be able to test this, as I can't simulate your data source in my lab otherwise.

In summary, this is what you are looking for:

"fundTemplateName" source="file location"
| spath input=_raw
| table fundTemplateName, quantityExpression, securityId
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-15-2016 06:13 PM

Replace everything before spath command with your base search ( "fundTemplateName" source="file location" )

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...