Splunk Search

How to build a table out of this log file?

SS1
Path Finder

Hi,

I have below log file, I would like to build a table out of it (Line1, Line2,Line3,Line4 are just for understanding)

Line1: 2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice
Line2: 2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice
Line3: 2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google
Line4: 2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice


Desired Table:

Issue                                                             True      False
Password Expiration Notice                     2          0
High Memory usage Google                     0           1

 

Caluclating False: Line1-Line2 i.e. i need to Subtract count of events with "True [Home]" from "False"

Caluclation True: Number of events with "True"

Labels (6)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You may already have fields that exist, but this example assumes the data you supplied is the raw data

| makeresults 
| eval x=split("2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice###2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice###2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google###2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice", "###")
| mvexpand x
| fields - _time
| rename x as _raw
| rex "(?<t>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \w{2} [^ ]*) (?<bool>(True|False)) ((?<home>\[Home\])? )?(?<platform>\[[^\]]*\]) (?<Issue>.*)"
| stats count(eval(bool="False")) as False count(eval(bool="True")) as True count(eval(home="[Home]")) as Home by Issue
| eval False = False - Home
| table Issue True False

rex statement parses out the fields and then the stats does the basic calcs and the False is adjusted at the end

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...