I'm wondering if anyone could advise on how to best standardize a log of events with different fields. Basically, I have a log with about 50 transaction types (same source and sourcetype), and each event can have up to 20 different fields based on a specific field, ActionType. Here are a few sample events with some sample/generated data: 2025-02-10 01:09:00, EventId="6", SessionId="123abc", ActionType="Logout" 2025-02-10 01:08:00, EventId="5", SessionId="123abc", ActionType="ItemPurchase", ItemName="Item2", Amount="200.00", Status="Failure" 2025-02-10 01:07:00, EventId="4", SessionId="123abc", ActionType="ItemPurchase", ItemName="Item1", Amount="500.00", Status="Success", FailureReason="Not enough funds" 2025-02-10 01:06:00, EventId="3", SessionId="123abc" ActionType="ProfileUpdate", ElementUpdated="Password", NewValue="*******", OldValue="***********", Status="Failure", FailureReason="Password too short" 2025-02-10 01:05:00, EventId="2", SessionId="123abc" ActionType="ProfileUpdate", ElementUpdated="Email", NewValue="NewEmail@somenewdomain.com", OldValue="OldEmail@someolddomain.com", Status="Success" 2025-02-10 01:04:00, EventId="1", SessionId="123abc", ActionType="Login", IPAddress="10.99.99.99", Location="California", Status="Success" I'd like to put together a table with user-friendly EventDescription, like below: Time: SessionId Action EventDescription 2025-02-10 01:04:00 123abc LogIn User successfully logged in from IP 10.99.99.99 (California). 2025-02-10 01:05:00 123abc ProfileUpdate User failed to update password (Password too short) 2025-02-10 01:06:00 123abc ProfileUpdate User successfully updated email from NewEmail@somenewdomain.com to OldEmail@someolddomain.com 2025-02-10 01:07:00 123abc ItemPurchase User successfully purchased item1 for $500.00 2025-02-10 01:08:00 123abc ItemPurchase User failed to purchase item2 for $200.00 (insufficient funds) 2025-02-10 01:09:00 123abc LogOut User logged out successfully Given that each action will have different fields, what's the best way to approach this, given that there could be about 50 different events (possibly more in the future). I was initially thinking this can be done using a series of case statements, like the one below. However, this approach doesn't seem too scalable or maintainable given the number of events and possible fields for each one: eval EventDescription=case(EventId="LogIn", case(Status="Success", "User successfully logged in from IP ".IpAddress." (Location)", 1=1, "User failed to login"), EventId="Logout......etc I was also thinking of using a macro to extract the field and compose an EventDescription, which would be easier to maintain since the code for each Action would be isolated, but I don't think execution 50 macros in one search is the best way to go. Is there a better way to do this? Thanks!
... View more