Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get custom table from logs

dhirendra224761
New Member
‎11-24-2018 11:26 PM

Hi, I am having trouble in my queries.
My logs are as below:
18/11/2018 12:00:41 IISYS export of Server 1 successfully transferred to Server 2
17/11/2018 03:32:09 IISYS Import successfully ended on server 1 from export of server 2 with exit code 0
16/11/2018 21:05:57 IISYS export of Server 1 successfully transferred to Server 3
16/11/2018 21:06:15 IISYS export of Server 1 successfully transferred to Server 4
17/11/2018 03:31:32 IISYS Import successfully ended on server 1 from export of server 2 with exit code 0
17/11/2018 03:36:55 IISYS Import successfully ended on server 1 from export of Server 3 with exit code 0

If imported then "OK" If not "KO" and for 3rd table, there is no export on sunday and no import processing on saturday.
Now I have to make tables based on above logs as below attached screenshot.

alt text

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2018 10:56 AM

Your data does not match your chart. If you make them match, then maybe we can help you.

0 Karma
Reply

dhirendra224761
New Member
‎11-25-2018 11:36 AM

Hi @woodcock ... Sure I will corrct my logs as per the chart.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-25-2018 05:07 AM

What does a failed transfer or import look like? You didn't provide a log line for those...

The rest, or for anyone who wants to finish this answer after you provide that, might be along the lines of ...

base search ...
| rex "IISYS\s+(?<action>\w+) of (?<server>.*) (?<result>successfully|failed) transferred to (?<dest_server>.*)"
| rex "IISYS\s+(?<action>\w+) (?<result>successfully) ended on (?<server>.*) from export of (?<dest_server>.*) with exit code (?<exit_code>\d+)"
| eval in here to make result and exit_code all "OK" or "KO" as required
| timechart span=1d count by server, result_code.

Get us a sample of those log lines where it fails, so we know what to parse for the KO, and that should let us finish this for you.

0 Karma
Reply

dhirendra224761
New Member
‎11-25-2018 05:28 AM

Hi @rich7177,

Thanks for your input. especially for below rex command

| rex "IISYS\s+(?\w+) of (?.) (?successfully|failed) transferred to (?.)"

Let me try with this and let you know back again.
Thanks Again

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...