topic Re: How to write a search to produce a table with specified fields based on certain tags found in results? in Splunk Search

How to write a search to produce a table with specified fields based on certain tags found in results?

alex1895 — Wed, 10 Feb 2016 19:51:37 GMT

I want to build a table with different fields depending on the search result.

If a certain tag or another tag is found, I need to produce a table with certain fields OR if other tags are found, I need a table with other fields.

Re: How to write a search to produce a table with specified fields based on certain tags found in results?

somesoni2 — Wed, 10 Feb 2016 20:25:58 GMT

Have you looked that this??

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Fieldsummary

Re: How to write a search to produce a table with specified fields based on certain tags found in results?

alex1895 — Wed, 10 Feb 2016 22:18:00 GMT

Not really sure how this helps. I don't want to show statistic for each field. The table should just show the value of the fields for each event. That is my search:

index=* sourcetype!="XXX-CEF" vendor!="XXX" $ip$ OR $URL$ AND (tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations) | table vendor* ,dvc*,ids_type,tag,action*,category,signature,src*,dest*,user,severity*,_raw

I want to be able to adjust the table fields depending on what tags are included.

Re: How to write a search to produce a table with specified fields based on certain tags found in results?

Richfez — Fri, 12 Feb 2016 03:05:34 GMT

I might take creative (or totally bland) field naming, but you could try using macros to do the table formatting then pass it the fields you want. For instance, I did this with some logs of my own:

 ... | eval a1=eventtype 
| eval a2=bytes_in | eval a3=bytes_out | eval a4=ack_packets_in | eval a5=ack_packets_out 
| `my-table(a1 a2 a3 a4 a5)`

That results in a table with fields labeled a1 through a5. Obviously change those to whatever names you want. This depends on a macro I created that consists of

name: my-table(5)
definition: table $arg1$ $arg2$ $arg3$ $arg4$ $arg5$
arguments: arg1,arg2,arg3,arg4,arg5

You can create several of these only differing by the number of arguments, then you can call them all the same. So if you have a my-table(4) and my-table(5), and you called

... | `my-table(myfield1 myfield2 myfield3 myfield4)`

It would use the 4 argument version.

To vary things, you could use some generic other field category, and maybe call it like this example below using a "built in" field EventCode and a "generated" fields OtherInfo1.

... | eval OtherInfo1=if(isnotnull(somefield),somefield, someotherfield) | `my-table(EventCode, OtherInfo1)`

Similarly, other types of those calculations may work, like

... | eval a2=if(bytes_in>0,bytes_in,EventCode)

Which I totally made up and is nonsense, but does work.

BTW, be sure to set permissions appropriately on the macro! You can browse the docs on macros for more.

Re: How to write a search to produce a table with specified fields based on certain tags found in results?

alex1895 — Wed, 17 Feb 2016 03:49:35 GMT

Thanks, Great Answer. How do bring the condition if this tag matches, built this table, and if this tag matches built this table in?