Getting event data into columns in a report.

iiooiiooiioo · ‎04-08-2020

I have a script that writes data that looks like this to a log file.

I have this search:

host=sfo-app-dev-001 terminating OR new_hire OR rehire OR "changes supervisor"

and I get these results:

"2020-04-08 17:34:53,589:INFO:       User id 135062 (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42", ...
...
"2020-04-08 17:34:53,574:INFO:       User id 854526 (loovkosg) changes supervisor from eisetpl/id=446070 to fakesuper/id=42", ...
"2020-04-08 17:34:52,892:INFO:           rehire pabisanh.", ...
...
"2020-04-08 17:34:52,891:INFO:           rehire dadhre.", ...
"2020-04-08 17:34:52,214:INFO:         new_hire grdorimg.", ...
...
"2020-04-08 17:34:52,214:INFO:         new_hire bokdtaua.", ...
"2020-04-08 17:34:51,514:INFO:     terminating hluhsha", ...
...
"2020-04-08 17:34:51,496:INFO:     terminating auamjmo", ...

I would like to generate a report that puts the all the terminated users, new hire users, re-hired users and supervisor changes into a report that has columns for the terminated users, new hire, re-hires and supervisor changes.

(Sorry for the crappy formatting)

  Terminations   New Hires   Re-hires   Super Changes 
| hluhsha    | grdorimg | pabisanh | (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42    |
| auamjmo | bokdtaua | wjtorkuo | (forecscf) changes supervisor from bucreah/id=62931 to fakesuper/id=42     |
| arkgmu2i | tsoh | - | (kaprsaer) changes supervisor from cstiobs/id=127168 to fakesuper/id=42    |
| ivargda     | lkrnluei    |                  | (nfntecoo) changes supervisor from arhreinn/id=561422 to fakesuper/id=42 |
|                   | ontaguh   |                  |                                                                                                                                         |
|                   | oaomkha |                  |                                                                                                                                         |

I have tried this search:

host=sfo-app-dev-001 terminating OR new_hire OR rehire OR "changes supervisor" | table term_users newhires rehires super_changes

But I really do not understand how to create custom fields.
I have tried to use the "Extract New Fields" wizard but cannot seem to get it to do what I need.

to4kawa · ‎04-08-2020

rex can extract new field.

sample:

| makeresults
| eval _raw="raw
2020-04-08 17:34:53,589:INFO: User id 135062 (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42, ...
2020-04-08 17:34:53,574:INFO: User id 854526 (loovkosg) changes supervisor from eisetpl/id=446070 to fakesuper/id=42, ...
2020-04-08 17:34:52,892:INFO: rehire pabisanh., ...
2020-04-08 17:34:52,891:INFO: rehire dadhre., ...
2020-04-08 17:34:52,214:INFO: new_hire grdorimg., ...
2020-04-08 17:34:52,214:INFO: new_hire bokdtaua., ...
2020-04-08 17:34:51,514:INFO: terminating hluhsha, ...
2020-04-08 17:34:51,496:INFO: terminating auamjmo, ..."
| multikv
| rename COMMNET as "this is sample. from here, the logic"
| rex "(?<date>.*):INFO"
| eval _time=strptime(date,"%F %T,%3N")
| rex "(?<status>rehire|new_hire|terminating)\s(?<user>\w+)"
| rex "User id (?<user_id>\d+)\s\((?<user>\w+)\) changes (?<status>supervisor)"
| table _time user status user_id _raw

and

....
| stats  values(user) as user count as total  by status
| xyseries total status user
| fields - total

Is the report like this?

richgalloway · ‎04-08-2020

What connects termination, new hires, and re-hires to super changes?

---
If this reply helps you, Karma would be appreciated.

Getting event data into columns in a report.

other

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!