topic How to create a search to get the values in table format? in Splunk Enterprise

How to create a search to get the values in table format?

Vani_26 — Sat, 24 Sep 2022 03:41:47 GMT

My sample logs is:
2022-09-12 34:45:12.456 info Request uri [/asdff/aii/products] Request patameters [] Request payload [Request body size : : 5678 bytes Request body : : [{\activaterequest\:\ESRTYBBS\*\*, \"addresslines\":[{\"addressLineOrder\":\"NAME\"linevalues\":[\"esmal interger\"]}], \"productsio\":\"IM630\", \"productjourneykey\":\"IM630-p-6789778\",\"lineValues\":[\"sejo guleim ramo versa"]}], \"statusdesc\":\"unknown protocol version. http header [x-aacs-rest-version]. Assuming current version [v1.0]\"}],[{ \number\"4\",\"storePONumber\":\"3456\*}, \"app\",\"message\":\"Action taken when more than 10 points\"}], :[{\"serverstatuscode\":\"400 bad_request\",\"severity\", \"statusdesc\":\"Action taken when more than 10 points\"}], \"number\"6\"]

My query: index=axcf "Action taken when more than 10 points"

but i want the following values(productsio, addressLineOrder, linevalues, storePONumber, message, serverstatuscode, statusdesc ) in table format.

how can i do this??

Re: How to create a search to get the values in table format?

ITWhisperer — Sun, 25 Sep 2022 09:24:19 GMT

Please confirm that the sample log is a true representation of your data, because it is a very confusing format with inconsistencies and misspellings.

Assuming it is accurate, please provide the corresponding output you are expecting to see, so we can identify how you log message might be broken down into the field values you are looking for.

Also, another couple of examples might help, so that fixed field names and variable values can more easily be identified.

Re: How to create a search to get the values in table format?

Vani_26 — Mon, 26 Sep 2022 16:00:49 GMT

i want the results in the below format:

productsio IM630

addressLineOrder NAME

linevalues ejo guleim ramo versa

storePONumber 3456

message Action taken when more than 10 points

serverstatuscode 400 bad_request

statusdesc Action taken when more than 10 points

statusdesc unknown protocol version. http header [x-aacs-rest-version]. Assuming current version [v1.0]

Re: How to create a search to get the values in table format?

ITWhisperer — Tue, 27 Sep 2022 08:33:57 GMT

| rex "\\\\\"productsio\\\\\":\\\\\"(?<productsio>[^\\\\]+)" | rex "\\\\\"addressLineOrder\\\\\":\\\\\"(?<addressLineOrder>[^\\\\]+)" | rex "\\\\\"linevalues\\\\\":\[\\\\\"(?<linevalues>[^\\\\]+)" | rex "\\\\\"storePONumber\\\\\":\\\\\"(?<storePONumber>[^\\\\]+)" | rex "\\\\\"message\\\\\":\\\\\"(?<message>[^\\\\]+)" | rex "\\\\\"serverstatuscode\\\\\":\\\\\"(?<serverstatuscode>[^\\\\]+)" | rex max_match=0 "\\\\\"statusdesc\\\\\":\\\\\"(?<statusdesc>[^\\\\]+)"

Re: How to create a search to get the values in table format?

Vani_26 — Tue, 27 Sep 2022 20:21:42 GMT

when i am using the below rex getting below error
Regex:missing terminating ] for character class

Re: How to create a search to get the values in table format?

ITWhisperer — Tue, 27 Sep 2022 20:23:53 GMT

What exactly are you using as it looks like a copy/paste/typo?

Re: How to create a search to get the values in table format?

Vani_26 — Tue, 27 Sep 2022 20:50:48 GMT

yes i was entering it incorrectly.

thank you, it helped me a lot , its working as expected.