Displaying data in table

goyals05 — Wed, 28 Mar 2018 10:56:59 GMT

Hello,

How to display these logs in table format.

Raw data
Source 1:
2018-03-25 00:30:00 Backup Process Started
2018-03-25 11:44:03 Backup process Finished
2018-03-25 11:50:00 backup_size=5.2T

Source 2:
2018-03-21 00:30:00 Backup Process Started
2018-03-21 11:45:22 Backup process Finished
2018-03-21 11:50:00 backup_size=5.5T

Output:
    Start                  Finish                      size
    2018-03-21 00:30:00   2018-03-21 11:45:22          5.2T
    2018-03-25 00:30:00   2018-03-25 11:44:03          5.5T

Thankyou

Re: Displaying data in table

kmaron — Wed, 28 Mar 2018 13:41:11 GMT

Depending on how your data is broken out you'll probably need some regex to break out your individual fields but once that is done you can accomplish the table with something like this

| eval StartTime = case(field_name="Backup Process Started", time_field_name)
| eval FinishTime = case(field_name="Backup Process Finished", time_field_name)
| eval BackupSize = case(field_name="backup_size", size_field_name)
| transaction Date_Field maxspan=24h
| table StartTime FinishTime BackupSize

I put all of your data into fields that correspond to the columns in your table then I used transaction to group them by date.

topic Re: Displaying data in table in Splunk Search

Displaying data in table

Re: Displaying data in table