Splunk Search

How can I perform a field extraction and display it as a table that contains all the values from my search?

senthamilselvan
Engager

Hi Team,

Please find the below log sample. I want to extract from the line "program" till the end and display as a table which contains all the values as shown in the output..

REPLICATION LAG

Oracle GoldenGate Command Interpreter for DB2 Version 12.1.2.1.5 20635622 OGGCORE_12.1.2.1.0OGGBP_PLATFORMS_150320.0454
AIX 6, ppc, 64bit (optimized), DB2 10.5 on Apr 23 2015 00:58:12 Operating system character set identified as ISO-8859-1.

Copyright (C) 1995, 2015, Oracle and/or its affiliates. All rights reserved.

GGSCI (nc006qad02) 1> info all

Program     Status      Group       LagatChkpt  TimeSinceChkpt
MANAGER     RUNNING                                           
JAGENT      RUNNING                                           
REPLICAT    RUNNING     REPHG       00:00:00      00:00:05    
REPLICAT    RUNNING     REPRA       00:00:00      00:00:07    
REPLICAT    RUNNING     REPSD       00:00:00      00:00:00    
REPLICAT    STOPPED     RILAA       00:00:00      3489:18:54  
REPLICAT    STOPPED     RILQQ       00:00:00      3166:32:14  
REPLICAT    STOPPED     RILRA       00:00:00      3489:18:44  
REPLICAT    STOPPED     RILRH       00:00:00      3489:18:01  
REPLICAT    STOPPED     RILTT       00:00:00      3489:18:36  
REPLICAT    RUNNING     RPLXQ       00:00:00      00:00:04    
REPLICAT    ABENDED     RRAHG       2125:39:25    01:13:05    

output table will be: and the first line will be header of the table.

Program     Status      Group       LagatChkpt  TimeSinceChkpt
MANAGER     RUNNING                                           
JAGENT      RUNNING                                           
REPLICAT    RUNNING     REPHG       00:00:00      00:00:05    
REPLICAT    RUNNING     REPRA       00:00:00      00:00:07    
REPLICAT    RUNNING     REPSD       00:00:00      00:00:00    
REPLICAT    STOPPED     RILAA       00:00:00      3489:18:54  
REPLICAT    STOPPED     RILQQ       00:00:00      3166:32:14  
REPLICAT    STOPPED     RILRA       00:00:00      3489:18:44  
REPLICAT    STOPPED     RILRH       00:00:00      3489:18:01  
REPLICAT    STOPPED     RILTT       00:00:00      3489:18:36  
REPLICAT    RUNNING     RPLXQ       00:00:00      00:00:04    
REPLICAT    ABENDED     RRAHG       2125:39:25    01:13:05
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you can treat all of the lines as a single event then the multikv command should help.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does all those lines part of single event?

0 Karma

senthamilselvan
Engager

we can consider as single event or we can break into multiple as well. Because that is sample file am going to index

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...