Splunk Search

How to build a table out of this log file?

SS1
Path Finder

Hi,

I have below log file, I would like to build a table out of it (Line1, Line2,Line3,Line4 are just for understanding)

Line1: 2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice
Line2: 2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice
Line3: 2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google
Line4: 2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice


Desired Table:

Issue                                                             True      False
Password Expiration Notice                     2          0
High Memory usage Google                     0           1

 

Caluclating False: Line1-Line2 i.e. i need to Subtract count of events with "True [Home]" from "False"

Caluclation True: Number of events with "True"

Labels (6)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You may already have fields that exist, but this example assumes the data you supplied is the raw data

| makeresults 
| eval x=split("2022-05-22 02:02:20 PM UTC False [Android] Password Expiration Notice###2022-05-22 06:05:49 PM UTC True [Home] [Android] Password Expiration Notice###2022-05-29 04:24:52 AM UTC False [Android] High Memory usage Google###2022-05-29 06:05:49 PM UTC True [Android] Password Expiration Notice", "###")
| mvexpand x
| fields - _time
| rename x as _raw
| rex "(?<t>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \w{2} [^ ]*) (?<bool>(True|False)) ((?<home>\[Home\])? )?(?<platform>\[[^\]]*\]) (?<Issue>.*)"
| stats count(eval(bool="False")) as False count(eval(bool="True")) as True count(eval(home="[Home]")) as Home by Issue
| eval False = False - Home
| table Issue True False

rex statement parses out the fields and then the stats does the basic calcs and the False is adjusted at the end

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...