Splunk Search

How to write a search to produce a table with specified fields based on certain tags found in results?

Path Finder

I want to build a table with different fields depending on the search result.

If a certain tag or another tag is found, I need to produce a table with certain fields OR if other tags are found, I need a table with other fields.

0 Karma

SplunkTrust
SplunkTrust

I might take creative (or totally bland) field naming, but you could try using macros to do the table formatting then pass it the fields you want. For instance, I did this with some logs of my own:

 ... | eval a1=eventtype 
| eval a2=bytes_in | eval a3=bytes_out | eval a4=ack_packets_in | eval a5=ack_packets_out 
| `my-table(a1 a2 a3 a4 a5)`

That results in a table with fields labeled a1 through a5. Obviously change those to whatever names you want. This depends on a macro I created that consists of

name: my-table(5)
definition: table $arg1$ $arg2$ $arg3$ $arg4$ $arg5$
arguments: arg1,arg2,arg3,arg4,arg5

You can create several of these only differing by the number of arguments, then you can call them all the same. So if you have a my-table(4) and my-table(5), and you called

... | `my-table(myfield1 myfield2 myfield3 myfield4)`

It would use the 4 argument version.

To vary things, you could use some generic other field category, and maybe call it like this example below using a "built in" field EventCode and a "generated" fields OtherInfo1.

... | eval OtherInfo1=if(isnotnull(somefield),somefield, someotherfield) | `my-table(EventCode, OtherInfo1)`

Similarly, other types of those calculations may work, like

... | eval a2=if(bytes_in>0,bytes_in,EventCode)

Which I totally made up and is nonsense, but does work.

BTW, be sure to set permissions appropriately on the macro! You can browse the docs on macros for more.

0 Karma

Path Finder

Thanks, Great Answer. How do bring the condition if this tag matches, built this table, and if this tag matches built this table in?

0 Karma

SplunkTrust
SplunkTrust
0 Karma

Path Finder

Not really sure how this helps. I don't want to show statistic for each field. The table should just show the value of the fields for each event. That is my search:

index=* sourcetype!="XXX-CEF" vendor!="XXX" $ip$ OR $URL$ AND (tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations) | table vendor* ,dvc*,ids_type,tag,action*,category,signature,src*,dest*,user,severity*,_raw

I want to be able to adjust the table fields depending on what tags are included.

0 Karma