Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create something like a ASCII table for sending results into the notes section of an application?

ssd
Loves-to-Learn Everything
‎01-15-2021 01:45 AM

Hi there,

i am trying to figure out a way, to output results of an alert as a table into an external application e.g. a ticketing tool which has a "notes"-textbox which allows just plain text. 

At the moment, i just send the raw logs by $result._raw$, but what i want to do is something like:

Query Example:

index=main sourcetype=WinEventLog:Security EventID IN (4624,4625)

| stats count by _time, user, EventID, host

DESIRED OUTPUT for the external Application:

+--------+-------+---------+----------+
| _time | user | EventID | host        |
+--------+-------+---------+----------+
| time_1 | alice | 4625 | 10.0.0.5 | 
| time_2 | bob |  4624  | 10.0.0.6 |
| time_3 | tom |  4624  | 10.0.0.7 |
+--------+-------+---------+----------+

 

Is this possible?  First i thought mvcombine, but don´t now if such a pattern is possible?

Kind regards

ssd

Labels (1)
Labels
0 Karma
Reply

FloSwiip
Path Finder
‎02-17-2023 08:14 AM

I checked for the same today
The real implementation would be an add-on using python lib to do this nicely.

I try to do something in SPL, but a better padding would be needed 😜

 

``` code to add after your search ```
| foreach * [ eval mytitles_r_here=mvappend(mytitles_r_here,"<<FIELD>>"),
                   myrows_r_here=mvappend(myrows_r_here,'<<FIELD>>') ]

``` building lines with delimiters ```
| eval mytitles_r_here="| ".mvjoin(mytitles_r_here," | ")." |"
| eval myrows_r_here="| ".mvjoin(myrows_r_here," | ")." |"
| eval thisispadding=myrows_r_here | rex mode=sed field=thisispadding "s/[^|]/-/g"
| eval myrows_r_here = mvappend(thisispadding,myrows_r_here)

``` merging the rows```
| stats first(mytitles_r_here) AS mytitles_r_here
        list(myrows_r_here) AS myrows_r_here
        first(thisispadding) AS thisispadding
| eval myrows_r_here = mvappend(myrows_r_here,thisispadding)

``` merging with title```
| eval thisispadding=mytitles_r_here | rex mode=sed field=thisispadding "s/[^|]/-/g"
| eval this_is_the_result=mvappend(thisispadding,mytitles_r_here,myrows_r_here)

| table this_is_the_result

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...