- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: If I have missing data from a table, the whole...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm using the search below to produce data in the following format
First Name
Surname
DOB
NINO
SUT
auditSource="matching" auditType="Tx*" detail.input-ida-request="*" | rex field="detail.output-cid-response" "\"firstName\":\"(?<cidFName>[^\"]+)" | rex field="detail.output-cid-response" "\"lastName\":\"(?<cidSName>[^\"]+)" |rex field="detail.output-cid-response" "\"dateOfBirth\":\"(?<cidDOB>[^\"]+)" | rex field="detail.output-cid-response" "\"sut\":\"(?<cidSUT>[^\"]+)" | rex field="detail.output-cid-response" "\"nino\":\"(?<cidNINO>[^\"]+)" | eval Full_Details= "Firstname: ".cidFName.", Surname: ".cidSName.", DOB: ".cidDOB.", NINO: ".cidNINO.", SUT: ".cidSUT | makemv delim=", " Full_Details | table detail.output-cid-response Full_Details
The problem I have is that if there is one piece of information missing from the source data, the whole list fails to display.
Could someone tell me please, is there a way to overcome this?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
For those of you who are interested, I found a solution here where I used Example 2 .
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
For those of you who are interested, I found a solution here where I used Example 2 .
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should provide a sample of your events; best to include good and bad examples 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS, thank you for taking the time to come back to me with this.
I've continued to work on this, and it may not be the best way, but I found a solution here where I used Example 2.
Many thanks and kind regards
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
