Create a table that shows information across multi...

SteGiles89 · ‎09-01-2023

Hi there,

I was wondering if I could get some assistance on whether the following is possible. I am quite new to creating tables in Splunk.

In Splunk, we have logs for an export process. Each step of the export process has the same ID to show it's part of the same request and each event in the chain has a type.

I'd like to create a table that lists all exports over a given time period:

request ID actor.email export.duration startTime exportComplete emailSent

- Each event for the same export has the same requestID

- startTime would be the timestamp of the event with type "startExport"

- exportComplete would be the timestamp of the event with type "exportSuccess" (or "in progress" if an event of that type is not present with that request ID)

- email would be the timestamp of the event with type "send" (or "email not send" if an event of type type is not present with that request ID)

All of this information is available in the original results but the table i have created so far just lists each event sorted by the timestamp which is definitely helpful versus raw results but getting a table like this would be so much better.

ITWhisperer · ‎09-01-2023

You could start by creating fields based on various criteria e.g.

| eval startTime=if(eventtype="startExport", _time, null())
| eval exportComplete=if(eventtype="exportSuccess", _time, null())

Then you can gather the values of these fields by requestId

| stats values(startTime) as startTime values(exportComplete) as exportComplete by requestId

Create a table that shows information across multiple events grouped by a common value

eval

stats

table

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?