Hi there,

I am trying working out a scenario with Splunk and having a hard time on it.

I have got a XML which has the order number in it. I need to do everything at search time.

Example XPATH: //OrderNumber (the number of occurrence is one only in whole XML)
Then I am pulling out all the sub orders inside this order by using XPATH= //OrderNumber/SubOrderNumber ( this is dynamic - which means it can have more than 1 occurrences)
Then I am also looking for there statuses in the XML against the SubOrderNumber using XPATH= //OrderNumber/SubOrderNumberSTATUS ( this is dynamic - which means it can have more than 1 occurrences but it may be less or more than the sub order numbers)

Now the problem is that all these fields are pulled out quite well but they all are in single event.

Results:-

Event 1:

OrderNumber SubOrderNumber  SubOrderNumberStatus
12345        12345-1         Open
             12345-2         Closed
             12345-3        

But I want to see the output as individual events , something like this:

OrderNumber SubOrderNumber  SubOrderNumberStatus
12345        12345-1         Open
12345        12345-2         Closed
12345        12345-3         {leave it blank}

The above should be 3 different events.

I tried using the below query which works fine if all the fields have some data :-

| fields OrderNumber SubOrderNumber SubOrderNumberStatus
|eval fields=mvzip(OrderNumber,SubOrderNumber) | mvexpand fields | eval temp=split(fields,",") | eval OrderNumber_new =mvindex(temp,0)|eval SubOrderNumber_new =mvindex(temp,1)| table OrderNumber_new, SubOrderNumber_new

Can anyone please provide some pointer around it.

Thanks in advance.