Displaying data in table

goyals05 · ‎03-28-2018

Hello,

How to display these logs in table format.

Raw data
Source 1:
2018-03-25 00:30:00 Backup Process Started
2018-03-25 11:44:03 Backup process Finished
2018-03-25 11:50:00 backup_size=5.2T

Source 2:
2018-03-21 00:30:00 Backup Process Started
2018-03-21 11:45:22 Backup process Finished
2018-03-21 11:50:00 backup_size=5.5T

Output:
    Start                  Finish                      size
    2018-03-21 00:30:00   2018-03-21 11:45:22          5.2T
    2018-03-25 00:30:00   2018-03-25 11:44:03          5.5T

Thankyou

kmaron · ‎03-28-2018

Depending on how your data is broken out you'll probably need some regex to break out your individual fields but once that is done you can accomplish the table with something like this

| eval StartTime = case(field_name="Backup Process Started", time_field_name)
| eval FinishTime = case(field_name="Backup Process Finished", time_field_name)
| eval BackupSize = case(field_name="backup_size", size_field_name)
| transaction Date_Field maxspan=24h
| table StartTime FinishTime BackupSize

I put all of your data into fields that correspond to the columns in your table then I used transaction to group them by date.

Displaying data in table

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring