Dashboards & Visualizations

how to mvexpand a 3 node level xml or merge it with xpath or spath ?

sbsbb
Builder

I have xml with 3 level

level1 Property1
EventType1
Element1
Element2

EventType2
Element3
Element4

level1 Property2
EventType1
Element5
Element6

EventType2
Element7
Element8

I would like to have everything flat like :
Level1 Property1 EventType1 Element1 (... with all fields from Element1)
Level1 Property1 EventType1 Element2...
Level1 Property1 EventType2 Element3...
Level1 Property1 EventType2 Element4...
Level1 Property2 EventType1 Element5...

I tried to make an spath with Level1 as path, and then a | mvexpand
But in fact I have to make a double expand for each eventtype, or make somekind of union ?

(fields in the Elements itself are similar in Event1 and 2)

I'm lost !

0 Karma

sbsbb
Builder

At the moment I've a workaround by doing an append

search.... spath... [ append search spath ]

It works, but it is not really performant.

0 Karma

eashwar
Communicator

did you have a solution for this brother, please let me know

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...