https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410657#M118522 <P>What does a failed transfer or import look like? You didn't provide a log line for those...</P> <P>The rest, or for anyone who wants to finish this answer after you provide that, might be along the lines of ...</P> <PRE><CODE>base search ... | rex "IISYS\s+(?&lt;action&gt;\w+) of (?&lt;server&gt;.*) (?&lt;result&gt;successfully|failed) transferred to (?&lt;dest_server&gt;.*)" | rex "IISYS\s+(?&lt;action&gt;\w+) (?&lt;result&gt;successfully) ended on (?&lt;server&gt;.*) from export of (?&lt;dest_server&gt;.*) with exit code (?&lt;exit_code&gt;\d+)" | eval in here to make result and exit_code all "OK" or "KO" as required | timechart span=1d count by server, result_code. </CODE></PRE> <P>Get us a sample of those log lines where it fails, so we know what to parse for the KO, and that should let us finish this for you.</P> Sun, 25 Nov 2018 13:07:09 GMT Richfez 2018-11-25T13:07:09Z https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410656#M118521 <P>Hi, I am having trouble in my queries.<BR /> My logs are as below:<BR /> <STRONG>18/11/2018 12:00:41 IISYS export of Server 1 successfully transferred to Server 2<BR /> 17/11/2018 03:32:09 IISYS Import successfully ended on server 1 from export of server 2 with exit code 0<BR /> 16/11/2018 21:05:57 IISYS export of Server 1 successfully transferred to Server 3<BR /> 16/11/2018 21:06:15 IISYS export of Server 1 successfully transferred to Server 4<BR /> 17/11/2018 03:31:32 IISYS Import successfully ended on server 1 from export of server 2 with exit code 0<BR /> 17/11/2018 03:36:55 IISYS Import successfully ended on server 1 from export of Server 3 with exit code 0</STRONG></P> <P>If imported then "OK" If not "KO" and for 3rd table, there is no export on sunday and no import processing on saturday.<BR /> Now I have to make tables based on above logs as below attached screenshot.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6167iFF1873DC7E3DC993/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 25 Nov 2018 07:26:32 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410656#M118521 dhirendra224761 2018-11-25T07:26:32Z https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410657#M118522 <P>What does a failed transfer or import look like? You didn't provide a log line for those...</P> <P>The rest, or for anyone who wants to finish this answer after you provide that, might be along the lines of ...</P> <PRE><CODE>base search ... | rex "IISYS\s+(?&lt;action&gt;\w+) of (?&lt;server&gt;.*) (?&lt;result&gt;successfully|failed) transferred to (?&lt;dest_server&gt;.*)" | rex "IISYS\s+(?&lt;action&gt;\w+) (?&lt;result&gt;successfully) ended on (?&lt;server&gt;.*) from export of (?&lt;dest_server&gt;.*) with exit code (?&lt;exit_code&gt;\d+)" | eval in here to make result and exit_code all "OK" or "KO" as required | timechart span=1d count by server, result_code. </CODE></PRE> <P>Get us a sample of those log lines where it fails, so we know what to parse for the KO, and that should let us finish this for you.</P> Sun, 25 Nov 2018 13:07:09 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410657#M118522 Richfez 2018-11-25T13:07:09Z https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410658#M118523 <P>Hi @rich7177,</P> <P>Thanks for your input. especially for below rex command</P> <P>| rex "IISYS\s+(?\w+) of (?.<EM>) (?successfully|failed) transferred to (?.</EM>)"</P> <P>Let me try with this and let you know back again.<BR /> Thanks Again</P> Sun, 25 Nov 2018 13:28:45 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410658#M118523 dhirendra224761 2018-11-25T13:28:45Z https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410659#M118524 <P>Your data does not match your chart. If you make them match, then maybe we can help you.</P> Sun, 25 Nov 2018 18:56:57 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410659#M118524 woodcock 2018-11-25T18:56:57Z https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410660#M118525 <P>Hi @woodcock ... Sure I will corrct my logs as per the chart.</P> Sun, 25 Nov 2018 19:36:28 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-custom-table-from-logs/m-p/410660#M118525 dhirendra224761 2018-11-25T19:36:28Z