- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a search to produce a table with spec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write a search to produce a table with specified fields based on certain tags found in results?
I want to build a table with different fields depending on the search result.
If a certain tag or another tag is found, I need to produce a table with certain fields OR if other tags are found, I need a table with other fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I might take creative (or totally bland) field naming, but you could try using macros to do the table formatting then pass it the fields you want. For instance, I did this with some logs of my own:
... | eval a1=eventtype
| eval a2=bytes_in | eval a3=bytes_out | eval a4=ack_packets_in | eval a5=ack_packets_out
| `my-table(a1 a2 a3 a4 a5)`
That results in a table with fields labeled a1 through a5. Obviously change those to whatever names you want. This depends on a macro I created that consists of
name: my-table(5)
definition: table $arg1$ $arg2$ $arg3$ $arg4$ $arg5$
arguments: arg1,arg2,arg3,arg4,arg5
You can create several of these only differing by the number of arguments, then you can call them all the same. So if you have a my-table(4) and my-table(5), and you called
... | `my-table(myfield1 myfield2 myfield3 myfield4)`
It would use the 4 argument version.
To vary things, you could use some generic other field category, and maybe call it like this example below using a "built in" field EventCode and a "generated" fields OtherInfo1.
... | eval OtherInfo1=if(isnotnull(somefield),somefield, someotherfield) | `my-table(EventCode, OtherInfo1)`
Similarly, other types of those calculations may work, like
... | eval a2=if(bytes_in>0,bytes_in,EventCode)
Which I totally made up and is nonsense, but does work.
BTW, be sure to set permissions appropriately on the macro! You can browse the docs on macros for more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, Great Answer. How do bring the condition if this tag matches, built this table, and if this tag matches built this table in?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked that this??
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Fieldsummary
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really sure how this helps. I don't want to show statistic for each field. The table should just show the value of the fields for each event. That is my search:
index=* sourcetype!="XXX-CEF" vendor!="XXX" $ip$ OR $URL$ AND (tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations) | table vendor* ,dvc*,ids_type,tag,action*,category,signature,src*,dest*,user,severity*,_raw
I want to be able to adjust the table fields depending on what tags are included.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
