Splunk Search

How to build a table out of this log file?

SS1
Path Finder

Hi,

I have below log file, I would like to build a table out of it (Line1, Line2,Line3,Line4 are just for understanding)

Line1: 2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice
Line2: 2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice
Line3: 2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google
Line4: 2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice


Desired Table:

Issue                                                             True      False
Password Expiration Notice                     2          0
High Memory usage Google                     0           1

 

Caluclating False: Line1-Line2 i.e. i need to Subtract count of events with "True [Home]" from "False"

Caluclation True: Number of events with "True"

Labels (6)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You may already have fields that exist, but this example assumes the data you supplied is the raw data

| makeresults 
| eval x=split("2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice###2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice###2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google###2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice", "###")
| mvexpand x
| fields - _time
| rename x as _raw
| rex "(?<t>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \w{2} [^ ]*) (?<bool>(True|False)) ((?<home>\[Home\])? )?(?<platform>\[[^\]]*\]) (?<Issue>.*)"
| stats count(eval(bool="False")) as False count(eval(bool="True")) as True count(eval(home="[Home]")) as Home by Issue
| eval False = False - Home
| table Issue True False

rex statement parses out the fields and then the stats does the basic calcs and the False is adjusted at the end

 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...