Solved: Using mvexpand to get multiple fields from XML dat... - Page 2

sushmitha_mj · ‎05-26-2016

I am using mvexpand for getting multiple fields from an XML and grouping them. Here is my search:

spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager | spath output=Received path=env:Envelope.env:Body.dp:response.dp:status.Messages | spath output=Sent path=env:Envelope.env:Body.dp:response.dp:status.MQQMstatus.Sent |  fields Manager,Received,Sent |  eval a=mvzip(Manager,Sent,":") | mvexpand a|eval a=split(a,":")|eval Manager=mvindex(a,0) | eval Sent=mvindex(a,1) | eval z=mvzip(Manager,Received,":") | mvexpand z|eval z=split(z,":")|eval Manager=mvindex(z,0) | eval Received=mvindex(z,1) |stats max(Sent) as "Sent ", max(Received) as "Received" by Manager

When I run this search, it gives me values. However, the value for Sent is right, but Received is wrong. When I reverse the order of the eval and stats, the value in received is right and value of sent is wrong.

Am I using the mvexpand wrong? How do I make this search work?

somesoni2 · ‎05-26-2016

Not sure you need the mvexpand at all. Just give this a try

spath output=Manager path=env:Envelope.env:Body.dp:response.dp:status.Manager | spath output=Received path=env:Envelope.env:Body.dp:response.dp:status.Messages | spath output=Sent path=env:Envelope.env:Body.dp:response.dp:status.MQQMstatus.Sent |stats max(Sent) as "Sent ", max(Received) as "Received" by Manager

View solution in original post

Using mvexpand to get multiple fields from XML data, why am I getting incorrect values for a field?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...