Hey Guys, I have the following data in Splunk. Each eventdata has 4 lines (which are seperated through newLines) and every line in a event represent the value of a variable.
My Question: Can I generate a table in which I list every event with the four variables. The table I wont to have should look like the following excel table :
Thanks for your help!
Hi @leon12,
I suppose that the Datum is also the timestamp of the event.
In this case, please try something like this:
<your_search>
| rex "(?ms).*Description:\s(?<Description>.*).*Node:\s+(?<Node>.*).*Severity:\s+(?<Severity>.*)"
| table _time Description Node Severity
That you can test at https://regex101.com/r/tCns4x/1
If Datum isn't also the timestamp, you have two ways:
I hint the first solution.
Ciao.
Giuseppe