How to build a table out of this log file?

SS1 · ‎08-24-2022

Hi,

I have below log file, I would like to build a table out of it (Line1, Line2,Line3,Line4 are just for understanding)

Line1: 2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice
Line2: 2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice
Line3: 2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google
Line4: 2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice

Desired Table:

Issue True False
Password Expiration Notice 2 0
High Memory usage Google 0 1

Caluclating False: Line1-Line2 i.e. i need to Subtract count of events with "True [Home]" from "False"

Caluclation True: Number of events with "True"

bowesmana · ‎08-24-2022

You may already have fields that exist, but this example assumes the data you supplied is the raw data

| makeresults 
| eval x=split("2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice###2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice###2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google###2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice", "###")
| mvexpand x
| fields - _time
| rename x as _raw
| rex "(?<t>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \w{2} [^ ]*) (?<bool>(True|False)) ((?<home>\[Home\])? )?(?<platform>\[[^\]]*\]) (?<Issue>.*)"
| stats count(eval(bool="False")) as False count(eval(bool="True")) as True count(eval(home="[Home]")) as Home by Issue
| eval False = False - Home
| table Issue True False

rex statement parses out the fields and then the stats does the basic calcs and the False is adjusted at the end

How to build a table out of this log file?

chart

eval

field extraction

fields

lookup

stats

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk