I want to build a table with different fields depending on the search result.
If a certain tag or another tag is found, I need to produce a table with certain fields OR if other tags are found, I need a table with other fields.
I might take creative (or totally bland) field naming, but you could try using macros to do the table formatting then pass it the fields you want. For instance, I did this with some logs of my own:
... | eval a1=eventtype
| eval a2=bytes_in | eval a3=bytes_out | eval a4=ack_packets_in | eval a5=ack_packets_out
| `my-table(a1 a2 a3 a4 a5)`
That results in a table with fields labeled a1 through a5. Obviously change those to whatever names you want. This depends on a macro I created that consists of
name: my-table(5)
definition: table $arg1$ $arg2$ $arg3$ $arg4$ $arg5$
arguments: arg1,arg2,arg3,arg4,arg5
You can create several of these only differing by the number of arguments, then you can call them all the same. So if you have a my-table(4) and my-table(5), and you called
... | `my-table(myfield1 myfield2 myfield3 myfield4)`
It would use the 4 argument version.
To vary things, you could use some generic other field category, and maybe call it like this example below using a "built in" field EventCode and a "generated" fields OtherInfo1.
... | eval OtherInfo1=if(isnotnull(somefield),somefield, someotherfield) | `my-table(EventCode, OtherInfo1)`
Similarly, other types of those calculations may work, like
... | eval a2=if(bytes_in>0,bytes_in,EventCode)
Which I totally made up and is nonsense, but does work.
BTW, be sure to set permissions appropriately on the macro! You can browse the docs on macros for more.
Thanks, Great Answer. How do bring the condition if this tag matches, built this table, and if this tag matches built this table in?
Have you looked that this??
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Fieldsummary
Not really sure how this helps. I don't want to show statistic for each field. The table should just show the value of the fields for each event. That is my search:
index=* sourcetype!="XXX-CEF" vendor!="XXX" $ip$ OR $URL$ AND (tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations) | table vendor* ,dvc*,ids_type,tag,action*,category,signature,src*,dest*,user,severity*,_raw
I want to be able to adjust the table fields depending on what tags are included.