Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Displaying data in table

goyals05
Explorer
‎03-28-2018 03:56 AM

Hello,

How to display these logs in table format.

Raw data
Source 1:
2018-03-25 00:30:00 Backup Process Started
2018-03-25 11:44:03 Backup process Finished
2018-03-25 11:50:00 backup_size=5.2T

Source 2:
2018-03-21 00:30:00 Backup Process Started
2018-03-21 11:45:22 Backup process Finished
2018-03-21 11:50:00 backup_size=5.5T

Output:
    Start                  Finish                      size
    2018-03-21 00:30:00   2018-03-21 11:45:22          5.2T
    2018-03-25 00:30:00   2018-03-25 11:44:03          5.5T

Thankyou

Tags (2)
0 Karma
Reply

kmaron
Motivator
‎03-28-2018 06:41 AM

Depending on how your data is broken out you'll probably need some regex to break out your individual fields but once that is done you can accomplish the table with something like this

| eval StartTime = case(field_name="Backup Process Started", time_field_name)
| eval FinishTime = case(field_name="Backup Process Finished", time_field_name)
| eval BackupSize = case(field_name="backup_size", size_field_name)
| transaction Date_Field maxspan=24h
| table StartTime FinishTime BackupSize

I put all of your data into fields that correspond to the columns in your table then I used transaction to group them by date.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...