how to create a report table with fields AND the o...

maverick · ‎12-03-2010

I would like to create a report table where the first column is the time stamp, followed by columns for pid, process, and host, and finally, as the last column, I would like the entire original event as a reference.

So the columns will look like this, _time | pid | process | host | _raw

Working with timechart command, I find that "values" function does not seem to work, and with the "fields" or "table" commands, I find that they do not recognize Splunk's _time or _raw fields, which means I cannot get the timestamp nor the original event listed as columns in my table.

I'm sure I someone has done this, or knows a way to create a report table like I want.

maverick · ‎12-03-2010

I would use the convert command to format the _time field into a field to work with, and then use stats command with a list() function while the fields you want (and rename the fields as their same names) and finally split by _raw, such that you get an event for each single event in your result set. (Also, I might pipe to deduce command first to make sure you don't get duplicate events listed multiple times within the same report row.)

Here is an example search string to try (assuming you are working with syslog event types):

sourcetype=syslog | dedup _raw | convert ctime(_time) as thetime | stats list(thetime) as "timestamp", list(pid) as pid, list(process) as process, list(_raw) as event by _raw

how to create a report table with fields AND the original event together?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life