- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search and create table report?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search and create table report?
I have a logfile with information like this -
2023-04-05 13:54:17.259 INFO [http-nio-8080-exec-117][OTPViewController:206] The list of the form bean for Kubra
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:207] Payment Request ID for debug the Kubra payment. DanBkDg981
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:208] Amount Number . 00902418
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:209] Policy Number. 05349531
2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:210] Address. 2912 9TH ST W
2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:211] Email. test@aol.com
2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:212] Pmt Amount . 999.00
2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:213] Pmt Date . 05012023I
Need a report in table format for these columns:
"RequestID" "Policy Number" "Email" "Address" "Amount Number" "Pmt Amount" "Pmt Date"
We can search based on the keyword "OTPViewController" and should look for consecutive thread number "http-nio-8080-exec-117" and extraction of value should start from the keyword and the dot "."
Will appreciate your feedback and time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to run the following query. Although it runs with 20K events but its not generating output in the table.
index=yourinndex "OTPViewController"
| rex "(?ms)OTPViewController:(?<session>http-nio-8080-exec-\d+).*?Policy Number\. (?<PolicyNumber>[^\n]+)\n.*?Email\. (?<Email>[^\n]+)\n.*?Address\. (?<Address>[^\n]+)\n.*?Amount Number \. (?<AmountNumber>[^\n]+)\n.*?Pmt Amount \. (?<PmtAmount>[^\n]+)\n"
| stats values(*) as * by session
| table PolicyNumber, Email, Address, AmountNumber, PmtAmountCan you tell what can be the issue here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the Splunk Community, not chatGPT. 😀
Please share the queries you've tried so far and how they've not met your expectations. We'll be happy to correct errors and misconceptions.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following Splunk documentation will get you started.
https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Managesearch-timefieldextractions
Extract all the fields, i.e. your data fields + thread_id (value within first set of square bracket)+ module_name (value within second set of square bracket).
Once you've your fields extracted try something like this to get the report
Your base search
| table thread_id module_name "RequestID", "Policy Number", "Email", "Address", "Amount Number", "Pmt Amount", "Pmt Date"
| stats values(*) as * by thread_id module_name
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
