Reporting

How can I reformat this report?

GersonGarcia
Path Finder

All,

I have this search

 

 

 

index=sro sourcetype=sro-cosmo "DL Cert OK" "Security Posture End of sweep report" | extract pairdelim="\n" kvdelim=":" 
| rex field=_raw "--ticket \'(?<ticket>.+)\' --summary" | fillnull value=0 | table _time ticket SA_Fail_Total_Count SA_Success_Count SA_Unreachables LP_Firmware_too_old | dedup _time ticket

 

 

 

That results in:

Screenshot 2022-11-28 155908.png

But my user wants in this format:

Screenshot 2022-11-28 155835.png

I am using Splunk 8.2.6.

Is there any way to format this report? So my user does not need to manipulate it in Excel?

Thank you,

Gerson Garcia

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

You cannot get the mangled tabulation supported by many spreadsheets (because Splunk really only do tables, not pseudo tables), but this can be close visually:

index=sro sourcetype=sro-cosmo "DL Cert OK" "Security Posture End of sweep report"
| extract pairdelim="\n" kvdelim=":" 
| rex field=_raw "--ticket \'(?<ticket>.+)\' --summary"
| fillnull value=0
| table _time ticket SA_Fail_Total_Count SA_Success_Count SA_Unreachables LP_Firmware_too_old
| dedup _time ticket
| eval headings = mvappend(strftime(_time, "%m/%d/%Y %H:%M"), "SA_Fail_Total_Count", "SA_Success_Count", "SA_Unreachables", "LP_Firmware_too_old")
| eval values = mvappend(ticket, SA_Fail_Total_Count, SA_Success_Count, SA_Unreachables, LP_Firmware_too_old)
| foreach headings values
    [eval <<FIELD>> = mvjoin(<<FIELD>>, "
")]
| fields headings values

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...