- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show multiple values for a single field in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My raw data consists of xml data as below:
<fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</quantityExpression><securityId>ABCD</securityId><fundTemplateName>FUND2</fundTemplateName><quantityExpression>1234</quantityExpression><securityId>EFGH</securityId>
Can someone help me get the below output?
FUND1 1600 ABCD
FUND2 1234 EFGH
I am using the below search, but this brings up the last row alone whereas I need both the rows shown above to be printed in my result:
"fundTemplateName" source="file location" | xmlkv | table fundTemplateName, quantityExpression, securityId
Please help/advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, try this:
| stats count | fields - count
| eval raw = "<fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</quantityExpression><securityId>ABCD</securityId><fundTemplateName>FUND2</fundTemplateName><quantityExpression>1234</quantityExpression><securityId>EFGH</securityId>
"
| spath input=raw
| table fundTemplateName, quantityExpression, securityId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, try this:
| stats count | fields - count
| eval raw = "<fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</quantityExpression><securityId>ABCD</securityId><fundTemplateName>FUND2</fundTemplateName><quantityExpression>1234</quantityExpression><securityId>EFGH</securityId>
"
| spath input=raw
| table fundTemplateName, quantityExpression, securityId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! However, since I am monitoring a log file, I wouldn't know what my raw data would look like. In that case, what would be my input to the eval function? Apologies, I am new to splunk and still learning some of the tricks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for not making it clear but as somesoni2 said, simply replace the first two lines with:
"fundTemplateName" source="file location"
I used the stats and eval to create a sample data to be able to test this, as I can't simulate your data source in my lab otherwise.
In summary, this is what you are looking for:
"fundTemplateName" source="file location"
| spath input=_raw
| table fundTemplateName, quantityExpression, securityId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replace everything before spath command with your base search ( "fundTemplateName" source="file location" )
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
