How to build a table out of this log file?

SS1 — Thu, 25 Aug 2022 01:46:28 GMT

Hi,

I have below log file, I would like to build a table out of it (Line1, Line2,Line3,Line4 are just for understanding)

Line1: 2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice
Line2: 2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice
Line3: 2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google
Line4: 2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice

Desired Table:

Issue True False
Password Expiration Notice 2 0
High Memory usage Google 0 1

Caluclating False: Line1-Line2 i.e. i need to Subtract count of events with "True [Home]" from "False"

Caluclation True: Number of events with "True"

Re: How to build a table out of this log file?

bowesmana — Thu, 25 Aug 2022 04:19:43 GMT

You may already have fields that exist, but this example assumes the data you supplied is the raw data

| makeresults | eval x=split("2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice###2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice###2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google###2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice", "###") | mvexpand x | fields - _time | rename x as _raw | rex "(?<t>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \w{2} [^ ]*) (?<bool>(True|False)) ((?<home>\[Home\])? )?(?<platform>\[[^\]]*\]) (?<Issue>.*)" | stats count(eval(bool="False")) as False count(eval(bool="True")) as True count(eval(home="[Home]")) as Home by Issue | eval False = False - Home | table Issue True False

rex statement parses out the fields and then the stats does the basic calcs and the False is adjusted at the end

topic Re: How to build a table out of this log file? in Splunk Search

How to build a table out of this log file?

Re: How to build a table out of this log file?