I have this XML data in one event but there are multiple transactions with same fieldnames . We need to display them all but group per transaction.
Sample Data in Splunk:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<TransactionMetaData xmlns="">
<UniqueTransactionID>8G1F1R1C-701G16EC0F32</UniqueTransactionID>
<TransactionDateTime>2021-04-16T03:11:26.031+02:00</TransactionDateTime>
</TransactionMetaData>
<Payload xmlns="">
<ValidatedSalesTransactions>
<Transaction>
<RetailStoreID>PHP6666</RetailStoreID>
<BusinessDayDate>2021-04-15</BusinessDayDate>
<BeginDateTime>2021-04-15T07:21:22</BeginDateTime>
<CurrencyCode>PHP</CurrencyCode>
<ReceiptNumber>8565</ReceiptNumber>
<RetailTransaction TransactionStatus="Totaled">
<SaleReturn ReturnFlag="true">
<ItemID>7481036706423787</ItemID>
<Quantity>1</Quantity>
<Amount>1.67</Amount>
<OnlineOrderID>5516054561</OnlineOrderID>
<OnlineItemID>6430081131637851</OnlineItemID>
</SaleReturn>
</RetailTransaction>
<Country>Philippines</Country>
</Transaction>
<Transaction>
<RetailStoreID>PHP6666</RetailStoreID>
<BusinessDayDate>2021-04-15</BusinessDayDate>
<BeginDateTime>2021-04-15T07:30:11</BeginDateTime>
<CurrencyCode>PHP</CurrencyCode>
<ReceiptNumber>8566</ReceiptNumber>
<RetailTransaction TransactionStatus="Totaled">
<SaleReturn ReturnFlag="true">
<ItemID>59874451032500</ItemID>
<Quantity>1</Quantity>
<Amount>2.84</Amount>
<OnlineOrderID>8549756244420</OnlineOrderID>
<OnlineItemID>64385647545125144</OnlineItemID>
</SaleReturn>
</RetailTransaction>
<Country>Philippines</Country>
</Transaction>
</ValidatedSalesTransactions>
</Payload>
My Search Query:
index=transaction_index sourcetype=ST_source
| xmlkv
| table RetailStoreID CurrencyCode ReceiptNumber ItemID Quantity OnlineOrderID OnlineItemID Country
I'm only getting the 1st transaction.
But, this is my expected result:
what can I add on my search to get all the transaction?
Thank you!
1 Solution
