Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a multivalue to single value from XML?

cmcdole
Path Finder
‎03-09-2023 04:58 PM

I need to create a single field named MemberOf from the XML snippet below.  It should look like this:

memberOf

CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com

CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com

 

 

 

 

<entry key="memberOf">
                            <value>
                              <Map>
                                <entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                              </Map>
                            </value>
                          </entry>

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 05:21 PM

Maybe this run-anywhere example will get you started.

| makeresults 
| eval _raw="<entry key=\"memberOf\">
<value>
  <Map>
    <entry key=\"CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
 </Map>
</value>
</entry>" 
``` Above is demo data.  Delete IRL.  ```
| spath output=Map path=entry.value.Map
| spath input=Map output=values path=entry{@key}
| eval key="memberOf"
| table key values
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cmcdole
Path Finder
‎03-10-2023 05:16 AM

Your awesomeness is much appreciated.  This works!!  Thank you very much!!

Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2023 07:04 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 05:12 PM

Assuming _raw holds the XML snippet

| spath path=entry.value.Map.entry{@key} output=memberOf
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...