Solved: Search in Table

ivoZgu · ‎09-04-2024

(index=hcp_system OR index=hcp_logging) namespace=$env_dd$
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>[^,]+),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| eval
IID=if("$interface_dd$"!="", "$interface_dd$", IID),
STEP=if("$step_dd$"!="", "$step_dd$", STEP),
PKEY=if(isnull("$record_id$") OR "$record_id$"="", PKEY, "*" . "$record_id$" . "*"),
STATE=if("$state_dd$"!="", "$state_dd$", STATE),
MSG0=if(isnull("$message_1$") OR "$message_1$"="", MSG0, "*" . "$message_1$" . "*"),
PROPS=if(isnull("$properties$") OR "$properties$"="", PROPS, "*" . "$properties$" . "*")
| search (IID=* OR isnull(IID)) (STEP=* OR isnull(STEP)) (PKEY=* OR isnull(PKEY)) (STATE=* OR isnull(STATE)) (MSG0=* OR isnull(MSG0)) (PROPS=* OR isnull(PROPS))
| table IID STEP PKEY STATE MSG0 PROPS

How to make it show in the table values which are selected in DD and if the search field is "text field" (PKEY MSG0 and PROPS in my case) empty to show what the rex PKEY:\s*(?P<PKEY>[^,]+) will extract.
As current behavior is following:

DD DropDown
TF Text Field

Input :
-DD IID:SF
-DD STEP:RECEIVE_FROM_KAFKA
-DD STATE:IN_PROGRESS

-TF PKEY MSG0 and PROPS are empty

Msg1:"#HLS# IID:SF, STEP:RECEIVE_FROM_KAFKA, PKEY:456, STATE:IN_PROGRESS, MSG0:Success, PROPS:YES #HLE#"
Msg2: "#HLS# IID:SAP, STEP:SEND_TO_KAFKA, PKEY:52345345, STATE:IN_PROGRESS, MSG0:MOO, PROPS:FOO #HLE#"

Extracted Table:
STEP | PKEY | STATE | MSG0 | PROPS
RECEIVE_FROM_KAFKA | 52345345 | IN_PROGRESS | MOO | YES

Resume: the result is mixed in column lines from different messages in the input of the text fields is empty,

How can I make it to extract all messages with the following log pattern and then filter them based on the DD or text fields?

ivoZgu · ‎09-13-2024

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$"
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*"
| fields IID STEP PKEY STATE MSG0 PROPS _time
| table IID STEP PKEY STATE MSG0 PROPS _time
| rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"

View solution in original post

ivoZgu · ‎09-13-2024

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$"
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*"
| fields IID STEP PKEY STATE MSG0 PROPS _time
| table IID STEP PKEY STATE MSG0 PROPS _time
| rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"

Search in Table

Dashboard Studio

other

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?