Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a table using different fields?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chandana204
Communicator
01-30-2018
08:53 AM
i have this kind of data:
event 1:
field_name=field_value
status="process"
status_file="file_name"
event 2:
field_name=field_value
status="send"
status_file="file_name"
event 3:
field_name=field_value
transfer_status="transferred"
transfer_file="file_name"
event 4:
field_name=field_value
fatal_type1 = "reason1"
fatal_type1_file="file_name"
event 5:
field_name=field_value
fatal_type2 = "reason2"
fatal_type2_file="file_name"
From all of the events above, common value is file_name rest of them are different. If the file_name matches with other file_types, it should list all I wanted make a report as below
file_name, file_types , file_types_count
abfskjsfjskjjv, process , 4
send
transferred
reason2
fhehrhashlahsf, process, 2
reason1
fhkawuruhshfhuaf, process , 3
send
transferred
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbbadri
Motivator
01-30-2018
09:44 AM
try this,
| makeresults
| eval event1="field_name=field_value status=\"process\" status_file=\"file_name\""
| eval event2="field_name=field_value status=\"send\" status_file=\"file_name\""
| eval event3="field_name=field_value transfer_status=\"transferred\" transfer_file=\"file_name\""
| eval event4="field_name=field_value fatal_type1=\"reason1\" fatal_type1_file=\"file_name\""
| eval event5="field_name=field_value fatal_type2=\"reason2\" fatal_type2_file=\"file_name\""
| fields - _time
| transpose
| fields - column
| rename "row 1" as events
| rex field=events "field_name=(?P<field_name>field_value)"
| rex field=events "(status|type\d+)=\"(?P<status>\S+)\""
| rex field=events "file=\"(?P<status_file>\S+)\""
| stats values(status) as file_types, count as file_types_count by status_file
| rename status_file as file_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbbadri
Motivator
01-30-2018
09:44 AM
try this,
| makeresults
| eval event1="field_name=field_value status=\"process\" status_file=\"file_name\""
| eval event2="field_name=field_value status=\"send\" status_file=\"file_name\""
| eval event3="field_name=field_value transfer_status=\"transferred\" transfer_file=\"file_name\""
| eval event4="field_name=field_value fatal_type1=\"reason1\" fatal_type1_file=\"file_name\""
| eval event5="field_name=field_value fatal_type2=\"reason2\" fatal_type2_file=\"file_name\""
| fields - _time
| transpose
| fields - column
| rename "row 1" as events
| rex field=events "field_name=(?P<field_name>field_value)"
| rex field=events "(status|type\d+)=\"(?P<status>\S+)\""
| rex field=events "file=\"(?P<status_file>\S+)\""
| stats values(status) as file_types, count as file_types_count by status_file
| rename status_file as file_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
01-30-2018
09:38 AM
@chandana204, please try the following:
<YourBaseSearch>
| eval file_name=coalesce(coalesce(coalesce(status_file,transfer_file),fatal_type1_file),fatal_type2_file)
| eval file_types=coalesce(coalesce(coalesce(status,transfer_status),fatal_type1),fatal_type2)
| stats list(file_types) as file_types count(file_types) as file_types_count by file_name
Following is a run anywhere search example based on sample data
| makeresults
| eval field_name="field_value",status="process",status_file="abfskjsfjskjjv"
| append [| makeresults
| eval field_name="field_value",status="process",status_file="fhehrhashlahsf"]
| append [| makeresults
| eval field_name="field_value",status="process",status_file="fhkawuruhshfhuaf"]
| append [| makeresults
| eval field_name="field_value", status="send", status_file="abfskjsfjskjjv"]
| append [| makeresults
| eval field_name="field_value", status="send", status_file="fhkawuruhshfhuaf"]
| append [| makeresults
| eval field_name="field_value", transfer_status="transferred",transfer_file="abfskjsfjskjjv"]
| append [| makeresults
| eval field_name="field_value", transfer_status="transferred",transfer_file="fhkawuruhshfhuaf"]
| append [| makeresults
| eval field_name="field_value", fatal_type1 = "reason1", fatal_type1_file="fhehrhashlahsf"]
| append [| makeresults
| eval field_name="field_value", fatal_type2 = "reason2", fatal_type2_file="abfskjsfjskjjv"]
| eval file_name=coalesce(coalesce(coalesce(status_file,transfer_file),fatal_type1_file),fatal_type2_file)
| eval file_types=coalesce(coalesce(coalesce(status,transfer_status),fatal_type1),fatal_type2)
| stats list(file_types) as file_types count(file_types) as file_types_count by file_name
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
Security Professional: Sharpen Your Defenses with These .conf25 Sessions
Sooooooooooo, guess what.
.conf25 is almost here, and if you're on the Security Learning Path, this is your ...
First Steps with Splunk SOAR
Our first step was to gather a list of the playbooks we wanted and to sort them by priority. Once this list ...
How To Build a Self-Service Observability Practice with Splunk Observability Cloud
If you’ve read our previous post on self-service observability, you already know what it is and why it ...
