How can I reformat this report?

GersonGarcia · ‎11-28-2022

All,

I have this search

index=sro sourcetype=sro-cosmo "DL Cert OK" "Security Posture End of sweep report" | extract pairdelim="\n" kvdelim=":" 
| rex field=_raw "--ticket \'(?<ticket>.+)\' --summary" | fillnull value=0 | table _time ticket SA_Fail_Total_Count SA_Success_Count SA_Unreachables LP_Firmware_too_old | dedup _time ticket

That results in:

But my user wants in this format:

I am using Splunk 8.2.6.

Is there any way to format this report? So my user does not need to manipulate it in Excel?

Thank you,

Gerson Garcia

yuanliu · ‎11-28-2022

You cannot get the mangled tabulation supported by many spreadsheets (because Splunk really only do tables, not pseudo tables), but this can be close visually:

index=sro sourcetype=sro-cosmo "DL Cert OK" "Security Posture End of sweep report"
| extract pairdelim="\n" kvdelim=":" 
| rex field=_raw "--ticket \'(?<ticket>.+)\' --summary"
| fillnull value=0
| table _time ticket SA_Fail_Total_Count SA_Success_Count SA_Unreachables LP_Firmware_too_old
| dedup _time ticket
| eval headings = mvappend(strftime(_time, "%m/%d/%Y %H:%M"), "SA_Fail_Total_Count", "SA_Success_Count", "SA_Unreachables", "LP_Firmware_too_old")
| eval values = mvappend(ticket, SA_Fail_Total_Count, SA_Success_Count, SA_Unreachables, LP_Firmware_too_old)
| foreach headings values
    [eval <<FIELD>> = mvjoin(<<FIELD>>, "
")]
| fields headings values

How can I reformat this report?

other

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration