Splunk Search

How to search and create table report?

Path Finder

I have a logfile with information like this -

2023-04-05 13:54:17.259 INFO [http-nio-8080-exec-117][OTPViewController:206] The list of the form bean for Kubra
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:207] Payment Request ID for debug the Kubra payment. DanBkDg981
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:208] Amount Number . 00902418
2023-04-05 13:54:17.260 INFO [http-nio-8080-exec-117][OTPViewController:209] Policy Number. 05349531
2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:210] Address. 2912 9TH ST W
2023-04-05 13:54:17.261 INFO [http-nio-8080-exec-117][OTPViewController:211] Email. test@aol.com
2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:212] Pmt Amount . 999.00
2023-04-05 13:54:17.262 INFO [http-nio-8080-exec-117][OTPViewController:213] Pmt Date . 05012023I

Need a report in table format for these columns:



"RequestID"	"Policy Number"	"Email"	"Address"	"Amount Number"	"Pmt Amount"	"Pmt Date"



We can search based on the keyword "OTPViewController" and should look for consecutive thread number "http-nio-8080-exec-117" and extraction of value should start from the keyword and the dot "."

Will appreciate your feedback and time.

Labels (3)
Tags (3)
0 Karma

Path Finder

I tried to run the following query. Although it runs with 20K events but its not generating output in the table.

index=yourinndex "OTPViewController"
| rex "(?ms)OTPViewController:(?<session>http-nio-8080-exec-\d+).*?Policy Number\. (?<PolicyNumber>[^\n]+)\n.*?Email\. (?<Email>[^\n]+)\n.*?Address\. (?<Address>[^\n]+)\n.*?Amount Number \. (?<AmountNumber>[^\n]+)\n.*?Pmt Amount \. (?<PmtAmount>[^\n]+)\n"
| stats values(*) as * by session
| table PolicyNumber, Email, Address, AmountNumber, PmtAmount

Can you tell what can be the issue here?


0 Karma


This is the Splunk Community, not chatGPT.  😀

Please share the queries you've tried so far and how they've not met your expectations.  We'll be happy to correct errors and misconceptions.

If this reply helps you, Karma would be appreciated.
0 Karma

Revered Legend

Following Splunk documentation will get you started. 


Extract all the fields, i.e. your data fields + thread_id (value within first set of square bracket)+ module_name (value within second set of square bracket). 

Once you've your fields extracted try something like this to get the report

Your base search
| table thread_id module_name "RequestID", "Policy Number", "Email", "Address", "Amount Number", "Pmt Amount", "Pmt Date"
| stats values(*) as * by thread_id module_name



0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...