Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a multivalue to single value from XML?

cmcdole
Path Finder
‎03-09-2023 04:58 PM

I need to create a single field named MemberOf from the XML snippet below.  It should look like this:

memberOf

CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com

CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com

CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com

 

 

 

 

<entry key="memberOf">
                            <value>
                              <Map>
                                <entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/>
                                <entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/>
                                <entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/>
                              </Map>
                            </value>
                          </entry>

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 05:21 PM

Maybe this run-anywhere example will get you started.

| makeresults 
| eval _raw="<entry key=\"memberOf\">
<value>
  <Map>
    <entry key=\"CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com\"/>
    <entry key=\"CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com\"/>
    <entry key=\"CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com\"/>
 </Map>
</value>
</entry>" 
``` Above is demo data.  Delete IRL.  ```
| spath output=Map path=entry.value.Map
| spath input=Map output=values path=entry{@key}
| eval key="memberOf"
| table key values
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cmcdole
Path Finder
‎03-10-2023 05:16 AM

Your awesomeness is much appreciated.  This works!!  Thank you very much!!

Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2023 07:04 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 05:12 PM

Assuming _raw holds the XML snippet

| spath path=entry.value.Map.entry{@key} output=memberOf
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...