topic Re: Generating a table without fields in Dashboards & Visualizations

Generating a table without fields

snobyink — Tue, 13 Feb 2024 23:08:59 GMT

Greetings!

We are trying to generate a table after we got output from a Splunk query. We are trying pipe (|) this to our query but do not know how to do this. Can someone assist?

This is the output after we ran our Splunk query,

Feb 13 20:36:21 hostname1 sshd[100607]: pam_unix(sshd:session): session opened for user user123 by (uid=0)

Feb 13 20:36:23 hostname2 sshd[100608]: pam_unix(sshd:session): session opened for user user345 by (uid=0)

We want to capture the table in this form,

Time Hosts Users

Feb 13 20:36:21 hostname1 user123

Feb 13 20:36:23 hostname2 user345

And so on..

How do we do this. Thank you in advance!

Re: Generating a table without fields

gcusello — Wed, 14 Feb 2024 07:32:10 GMT

Hi @snobyink,

at first, these seem to be Linux logs, so using the Splunk_TA_nix (https://splunkbase.splunk.com/app/833), you should have all the fields extracted.

Anyway, you can use a regex to extract the use field (the host should be already extracted:

index=your_index | rex "for user (?<user>\w+)" | table _time host user

Ciao.

Giuseppe

Re: Generating a table without fields

snobyink — Wed, 14 Feb 2024 15:07:12 GMT

Thanks! Unfortunately the hostname is not extracted as a field. How do we extract host as well from the output? In the meantime we are looking to see if we can install this Add On if we can get past the red tape 🙂

Re: Generating a table without fields

gcusello — Wed, 14 Feb 2024 15:11:29 GMT

Hi @snobyink,

in this case, please try this regex instead the previus one:

^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<host>\w+).*user\s(?<user>\w+)+

that you can test at https://regex101.com/r/bV4B9h/1

Ciao.

Giuseppe

Re: Generating a table without fields

snobyink — Wed, 14 Feb 2024 15:41:31 GMT

Thank you for your help!