Splunk Search

Controlling Text - Output Table formatted data to text

regarza
Engager

We are in the process of generating Events in ServiceNow using the Splunk add-on for ServiceNow.  We are passing Event information in the description field to communicate to the end user what actions need to be addressed.  As part of the output we want to include a table of information that summarizes the events detected.  We are able to aggregate and group the information as necessary, just having a hard time establishing a pattern where we can consistently control the output.   

We have had issues formatting the data and we are seeking guidance on how we can exert greater control over the format.  We would like to include a brief sentence with instructions on how to move forward and we would like to identify all events impacted in table format. 

 

|eval instructions = "The message we are seeking would look like the content below:  The header column and the output needs to be aligned and easy to read for the end user.    I have used a MVAppend Statement to add the header to a column, but could not concatenate the information in a manner where it display the information in a table format.   "  . "

"

| eval cheader = "Host                      Account                Action  "

| eval tabledata= host . "              " . Account . "   " .    Action  

| eval instructions =  instructions . cheader . tabledata

 

"The account is a controlled account and you will need to provide justification for accessing the account outside of security controls.  Please review the table of events and provide insight into why control was violated."

Table of Events:  

Host                      Account           Action    

LC200506         admin                Success 

LC200507         admin                Failure

 

 

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...