https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619342#M215253 <P>Hello All,</P> <P>&nbsp;</P> <P>The log has empty space before and after equal with semicolon separation. I’m unable to get the table request status like index="gd" RequestStatus | table RequestStatus, _time</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Would you please advise if anyone have suggestions</P> <P>&nbsp;</P> <P>Log sample</P> <P>{"timestamp":"2022-11-02 17:01:21,421+0000","level":"INFO","location":"request_process:171","message":"request_id = 5ac3565f-d964-31cd-90b1-e8b7b208e7df; RequestStatus = Completed; RequestID = 5ac3565f-d9a64-31cd-9021-e8b7b208e7df--70ivkG0Td8OBpvWk; S3SourceKey = 1049x7555.xml ; "function_request_id":"b61aa34-f22b-53bc-957e-142456b9b7a5","xray_id":"1-6482a25d-78459fbe07213ee14x4386bd"}</P> <P>&nbsp;</P> <P>RequestStatus = Received</P> <P>RequestStatus = Completed</P> <P>RequestStatus = Error</P> Wed, 02 Nov 2022 20:14:21 GMT padrsri 2022-11-02T20:14:21Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619342#M215253 <P>Hello All,</P> <P>&nbsp;</P> <P>The log has empty space before and after equal with semicolon separation. I’m unable to get the table request status like index="gd" RequestStatus | table RequestStatus, _time</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Would you please advise if anyone have suggestions</P> <P>&nbsp;</P> <P>Log sample</P> <P>{"timestamp":"2022-11-02 17:01:21,421+0000","level":"INFO","location":"request_process:171","message":"request_id = 5ac3565f-d964-31cd-90b1-e8b7b208e7df; RequestStatus = Completed; RequestID = 5ac3565f-d9a64-31cd-9021-e8b7b208e7df--70ivkG0Td8OBpvWk; S3SourceKey = 1049x7555.xml ; "function_request_id":"b61aa34-f22b-53bc-957e-142456b9b7a5","xray_id":"1-6482a25d-78459fbe07213ee14x4386bd"}</P> <P>&nbsp;</P> <P>RequestStatus = Received</P> <P>RequestStatus = Completed</P> <P>RequestStatus = Error</P> Wed, 02 Nov 2022 20:14:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619342#M215253 padrsri 2022-11-02T20:14:21Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619346#M215255 <P>Here's the most straightforward way (IMO). It uses the <FONT face="courier new,courier">rex</FONT> command to extract the RequestStatus field.</P><LI-CODE lang="markup">index="gd" RequestStatus | rex "RequestStatus = (?&lt;RequestStatus&gt;\S+)" | table RequestStatus, _time</LI-CODE><P>&nbsp;&nbsp;</P> Wed, 02 Nov 2022 18:05:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619346#M215255 richgalloway 2022-11-02T18:05:16Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619357#M215259 <P>Thank you for quick response and the solutions helped us.</P><P>Somehow, I’m not able to get Received request Id in search (sample log). Also is there any way to disable as report like below?</P><P>&nbsp;</P><P><STRONG>RequestStatus status&nbsp;</STRONG></P><P>message: css_request_id = abceesxs-e8cf-383a-81d6-78185430c323; RequestStatus = Received; EnvName = tst111; RequestId = abceesxs-e8cf-383a-81d6-78185430c323--HO1FQtsdshNVf80E; bucket = testbucket; key = DATA.xml; attempts = 1;</P><P><STRONG>Completed status&nbsp;</STRONG></P><P>message: css_request_id = abceesxs-e8cf-383a-81d6-78185430c323; RequestStatus = Completed; RequestID = abceesxs-e8cf-383a-81d6-78185430c323--HO1FQtsdshNVf80E; responseStatusCode = True; platformBuckets = ['css-lpue1-platform-data-application', 'css-lpue2-platform-data-application']; key = DATA.xml; bucket = testbucket; sourceKey = 10497687_DATA.xml ;&nbsp;<BR />service: gwy-Inbound</P><P><STRONG>Search index</STRONG></P><P>index="gd" RequestStatus RequestID | rex "RequestStatus = (?&lt;RequestStatus&gt;\S+)" | rex "RequestID = ?[\S+](?&lt;RequestID&gt;[\S+]*)" | table RequestID, RequestStatus, _time</P><P>Report like&nbsp;</P><P>RequestID, RequestStatus , _time<BR />-------------------------------------------------<BR />11111111 Received,Completed 2022-11-02 17:01:21<BR />11111112 Received,Completed 2022-11-02 17:01:21<BR />11111113 Received,Completed 2022-11-02 17:01:21<BR />11111114 Received,Error 2022-11-02 17:01:21<BR />11111115 Received,Completed 2022-11-02 17:01:21</P><P>Thank you,</P><P>&nbsp;</P> Wed, 02 Nov 2022 19:36:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619357#M215259 padrsri 2022-11-02T19:36:47Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619358#M215260 <P>You have the right idea, but the RequestID regex needs improvement.</P><LI-CODE lang="markup">index="gd" RequestStatus RequestID | rex "RequestStatus = (?&lt;RequestStatus&gt;\S+)" | rex "RequestID = (?&lt;RequestID&gt;\S+)" | table RequestID, RequestStatus, _time</LI-CODE> Wed, 02 Nov 2022 19:39:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619358#M215260 richgalloway 2022-11-02T19:39:55Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619360#M215261 <P>Hello&nbsp;&nbsp;Richgalloway,</P><P>Thank you for quick response.&nbsp; somehow, I'm not getting request ID for "RequestStatus = Received; EnvName = tst111; RequestId = abceesxs-e8cf-383a-81d6-78185430c323--HO1FQtsdshNVf80E;" ..&nbsp; do i need regex to excluded "EnvName = tst111;"?&nbsp;&nbsp;</P><P>Thanks,</P> Wed, 02 Nov 2022 20:35:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619360#M215261 padrsri 2022-11-02T20:35:27Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619378#M215269 <P>The RequestID tag is not consistent - sometimes it uses 'D' and sometimes 'd'.&nbsp; This query should handle that.</P><LI-CODE lang="markup">index="gd" RequestStatus RequestID | rex "RequestStatus = (?&lt;RequestStatus&gt;\S+)" | rex "RequestI[Dd] = (?&lt;RequestID&gt;\S+)" | table RequestID, RequestStatus, _time</LI-CODE> Wed, 02 Nov 2022 23:50:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619378#M215269 richgalloway 2022-11-02T23:50:32Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619450#M215289 <P>Thank you for all your help, it's is working as expected&nbsp;</P> Thu, 03 Nov 2022 13:19:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619450#M215289 padrsri 2022-11-03T13:19:07Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619452#M215291 <P>Thank you for all your help. The search is working fine now.&nbsp; Is it possible to display as report like ? Can you please advise</P><P>Search index&nbsp;index="mw_ib_prf507" RequestStatus RequestID<BR />| rex "RequestStatus = (?&lt;RequestStatus&gt;\S+)"<BR />| rex "RequestI[Dd] = (?&lt;RequestID&gt;\S+)"<BR />| table RequestID, RequestStatus</P><P>&nbsp;</P><P><STRONG>Request Id &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RequestStatus&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RequestStatusCount</STRONG></P><P>11111111 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Received,Completed &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2<BR />11111112 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Received,Completed &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2<BR />11111113 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Received,Completed &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2<BR />11111114 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Received,Error &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2<BR />11111115 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Received,Completed &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</P><P>11111115 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Received &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1</P> Thu, 03 Nov 2022 13:28:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619452#M215291 padrsri 2022-11-03T13:28:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619681#M215372 <P>I'm not sure how to do that.&nbsp; Sorry.</P> Fri, 04 Nov 2022 15:59:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-results-and-present-as-a-table-of-selected-key/m-p/619681#M215372 richgalloway 2022-11-04T15:59:32Z