I was running into the same problem where I only needed a simple table merging a couple of xml values from many, and potentially multiple times per event.
To build off of what sideview ♦ explained, and from the mvexpand docs, I think I have a way to help you get just the fields you care about in a simple table. Notice first few lines are same as what was already posted
| rename "result{@name}" as result_name
| fields result_name result
| eval zipped=mvzip(result_name,result)
| mvexpand zipped
This is where the code changes a little bit to meet what I think you are requesting. You can actually just rex out of the new field you just created
| rex field=zipped "(?<result_name>\S+),(?<result>\d+)"
| table result_name result
Should be displayed like
result_name result
MISCONF_STATUS.SUCCESS 154
MISCONF_RISK.HIGH 39
MISCONF_ALL 606
These results are then connected so you could get only specific events by appending
| where result_name="MISCONF_ALL" AND result="606"
For some visualizations you can also change
| table result_name result
to something like
| stats values(result_name) by result
Hope this helps
... View more