Re: what is the splunk command that when search al...

hoyeunglee · ‎11-26-2017

what is the splunk command that when search all and see all different kind of log as a whole
and that can parse any delimiter and any format to get column name and value and result a big table like Excel
such as if there is no such column if come from different kind of log, it fill in empty.

xxxxxxxx, xxxxx product : hello
log xxxxx ,   xxxxx serial number=3000
xxxxxxxx, xxxxx product : hello2


product serial number
hello
                    3000
hello2

woodcock · ‎11-28-2017

I get it now, you probably are looking for kv (also known as extract😞
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Extract

Be sure to check out the commands in the See also section.

hoyeunglee · ‎11-28-2017

can you demonstrate how to become a table?

hostname | extract pairdelim="=", kvdelim="=" | multikv fields Hostname

is there any industrial experience knowledge that can extract any delimiter?

woodcock · ‎11-28-2017

using the same character for both delims is bound to be wrong; try this:

...| extract kvdelim="=:" | rename number AS serial_number

hoyeunglee · ‎11-28-2017

i find spacy that can be trained to identify ip address etc , originally i think splunk can identify header for values automatically.

hoyeunglee · ‎11-28-2017

sometimes log do not have column name , or it has column name but the delimiter is a space, it seems splunk is not using meta learning to automate get header and value pair in log. it need manually get header and value.

woodcock · ‎11-28-2017

If your event has a header row and then other rows (in the same event), like output from df command, then use multikv.

jslee · ‎11-26-2017

If you want to search all log, you must have "index=* | " in your SPL

woodcock · ‎11-26-2017

You probably mean | table * but if not, perhaps you might like fieldsummary or maybe even cluster.

DalJeanis · ‎11-26-2017

@hoyeunglee - Lots of good here. They probably told you what you need to know if we understood your question right.

I'm betting that @woodcock's fieldsummary is the one you are looking for.

The one suggestion that I'd add is that you should put a |head 10 or | dedup index at the beginning before | fieldsummary, so that you don't end up with a completely unmanageable result.

hoyeunglee · ‎11-27-2017

i find meta learning can do data preprocessing such as auto pick column and value, is splunk using this?

hoyeunglee · ‎11-27-2017

i updated question, actually i mean a big excel table after parse with regex for any format and any delimiter

HiroshiSatoh · ‎11-26-2017

search all

->index=* OR index=_*

However, if all indexes have authority.

all different kind of log

->stats count,dc(source),values(source) by sourcetype

An example.

such as if there is no such column if come from different kind of log, it fill in empty.
->Except for the default field, it is defined for each source and source type. It will not be displayed if it does not meet the conditions.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Aboutdefaultfields

hoyeunglee · ‎11-27-2017

i updated question, actually i mean a big excel table after parse with regex for any format and any delimiter

what is the splunk command that when search all and see all different kind of log as a whole?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

what is the splunk command that when search all and see all different kind of log as a whole?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)