Solved: How to extract, convert and show data

Sentira · ‎06-23-2021

I have following data and :

......
2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"
2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[10202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"
2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[00202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"
.....

I need to extract the "First_Status" and "Second_Status" of a Chute and the field from log data and each 2 characters of value belongs to one Item.
Example: first character set "20", 2 is for First_Status and means OK and 0 is for Second_Status and means NOT OK for Item_1. (Total Items= 128/2 = 64)
Finally I want to extract the raw data and convert to First_Status , Second_Status and link them to a fix Item
(Item_1...Item_64):

_time	Items	First_Status	Second_Status
2021-06-18 21:05:45.037	Item_1	Ok	Ok
2021-06-18 21:05:46.037	Item_1	Not Ok	Not Ok
2021-06-18 21:05:47.037	Item_2	Ok	Ok
2021-06-18 21:05:49.037	Item_n	....	.....

....

ITWhisperer · ‎06-23-2021

| makeresults 
| eval _raw="2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"


| rex "ChuteAndStatus=\[(?<ChuteAndStatus>[^\]]+)"
| rex max_match=0 field=ChuteAndStatus "(?<ChuteAndStatus>\d\d)"
| streamstats count as row 
| mvexpand ChuteAndStatus
| streamstats count as item by row
| eval item="item_".item
| eval First_Status=substr(ChuteAndStatus,1,1)
| eval Second_Status=substr(ChuteAndStatus,2,1)
| eval First_Status=case(First_Status==0,"Not OK",First_Status==1,"OK",First_Status=2,"Not Known")
| eval Second_Status=case(Second_Status==0,"Not OK",Second_Status==1,"OK",Second_Status=2,"Not Known")

View solution in original post

ITWhisperer · ‎06-23-2021

| makeresults 
| eval _raw="2021-06-18 21:05:45.037 +02:00 [Information] ChuteAndStatus=[20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020]"


| rex "ChuteAndStatus=\[(?<ChuteAndStatus>[^\]]+)"
| rex max_match=0 field=ChuteAndStatus "(?<ChuteAndStatus>\d\d)"
| streamstats count as row 
| mvexpand ChuteAndStatus
| streamstats count as item by row
| eval item="item_".item
| eval First_Status=substr(ChuteAndStatus,1,1)
| eval Second_Status=substr(ChuteAndStatus,2,1)
| eval First_Status=case(First_Status==0,"Not OK",First_Status==1,"OK",First_Status=2,"Not Known")
| eval Second_Status=case(Second_Status==0,"Not OK",Second_Status==1,"OK",Second_Status=2,"Not Known")

How to extract, convert and show data

eval

fields

regex

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?