An Example:
Sep 20 12:36:30 simxxx slapd_simxxx[14304]: conn=2045 fd=28 ACCEPT from IP=99.888.7.50:50716 (IP=0.0.0.0:636)
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 fd=28 TLS established tls_ssf=128 ssf=128
Sep 20 12:36:31 simxxx slapd_simxxx[14304]: conn=2045 op=0 BIND dn="cn=gabel,ou=msst,o=muenchen,c=de" method=128
Sep 20 12:36:31 simxxx slapd_simxxx[14304]: conn=2045 op=0 BIND dn="cn=gabel,ou=mssgmt,o=muenchen,c=de" mech=SIMPLE ssf=0
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 op=0 RESULT tag=97 err=0 text=
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 op=1 ADD dn="cn=aatek,ou=aaaaahange,ou=Kess,o=aaa,c=de"
Sep 20 12:36:33 simxxx slapd_simxxx[14304]: conn=2045 op=1 RESULT tag=105 err=0 text=
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 PASSMOD id="cn=aaatek,ou=dddd,ou=ken,o=dddn,c=de" new
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 RESULT oid= err=0 text=
Sep 20 12:36:35 simxxx slapd_simxxx[14304]: conn=2045 op=3 SRCH base="cn=sssstek,ou=Psss,ou=Kess,o=sss,c=de" scope=0 deref=0 filter="(|(objectClass=inetOrgPerson))"
Sep 20 12:36:35 simxxx slapd_simxxx[14304]: conn=2045 op=3 SRCH attr=objectclass
Sep 20 12:36:36 simxxx slapd_simxxx[14304]: conn=2045 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
Sep 20 12:36:36 simxxx slapd_simxxx[14304]: conn=2045 op=4 UNBIND
Sep 20 12:36:37 simxxx slapd_simxxx[14304]: conn=2045 fd=28 closed
I want the result in a form of table
conn|op|delay|
--------------
2045|0| 00:00:01
|1| 00:00:01
|2| 00:00:00
|3| 00:00:01
|4| 00:00:00
I have declared several field extractions for the values Client_Domain which in this case is 99.888.7, also Bind_Op which is 0 and Search_Op which is 3 in this case. I have earlier written a Perl Script which could give me the desired values because I could store the value in Variables and while pattern matching in other lines, could give the value of the variable.
This is not possible in Splunk.
Can you help me out with this. Thanks to Splunk Community.
... View more