Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search and create table report?

runiyal
Path Finder
‎04-05-2023 12:15 PM

I have a logfile with information like this -

2023-04-05 13:54:17.259 INFO [http-nio-8080-exec-117][OTPViewController:206] The list of the form bean for Kubra
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:207] Payment Request ID for debug the Kubra payment. DanBkDg981
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:208] Amount Number . 00902418
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:209] Policy Number. 05349531
2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:210] Address. 2912 9TH ST W
2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:211] Email. test@aol.com
2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:212] Pmt Amount . 999.00
2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:213] Pmt Date . 05012023I

Need a report in table format for these columns:

 

 

"RequestID"	"Policy Number"	"Email"	"Address"	"Amount Number"	"Pmt Amount"	"Pmt Date"

 

 

We can search based on the keyword "OTPViewController" and should look for consecutive thread number "http-nio-8080-exec-117" and extraction of value should start from the keyword and the dot "."

Will appreciate your feedback and time.

Labels (3)
Labels
Tags (3)
0 Karma
Reply

runiyal
Path Finder
‎04-11-2023 11:27 AM

I tried to run the following query. Although it runs with 20K events but its not generating output in the table.

index=yourinndex "OTPViewController"
| rex "(?ms)OTPViewController:(?<session>http-nio-8080-exec-\d+).*?Policy Number\. (?<PolicyNumber>[^\n]+)\n.*?Email\. (?<Email>[^\n]+)\n.*?Address\. (?<Address>[^\n]+)\n.*?Amount Number \. (?<AmountNumber>[^\n]+)\n.*?Pmt Amount \. (?<PmtAmount>[^\n]+)\n"
| stats values(*) as * by session
| table PolicyNumber, Email, Address, AmountNumber, PmtAmount

Can you tell what can be the issue here?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2023 01:42 PM

This is the Splunk Community, not chatGPT.  😀

Please share the queries you've tried so far and how they've not met your expectations.  We'll be happy to correct errors and misconceptions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎04-05-2023 01:38 PM

Following Splunk documentation will get you started. 

https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Managesearch-timefieldextractions

Extract all the fields, i.e. your data fields + thread_id (value within first set of square bracket)+ module_name (value within second set of square bracket). 

Once you've your fields extracted try something like this to get the report

Your base search
| table thread_id module_name "RequestID", "Policy Number", "Email", "Address", "Amount Number", "Pmt Amount", "Pmt Date"
| stats values(*) as * by thread_id module_name

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...