Splunk: temporary variables depending on current event context?

Question

In order not to log tons of context information, I want to use the fact that in splunk I can track when each context is opened/closed. For example, for given log:

2017-08-02 12:12:10.2342+00 - <A>  - Enabled feature `feature.A`
2017-08-02 12:12:11.1000+00 -        Some log message
2017-08-02 12:12:12.1000+00 -        Another log message
2017-08-02 12:12:13.1000+00 - <B>  - Enabled feature `feature.B`
2017-08-02 12:12:14.1000+00 -        Third log message
2017-08-02 12:12:15.1000+00 - </A> - Disabled feature `feature.A`
2017-08-02 12:12:16.1000+00 -        Fourth log message
2017-08-02 12:12:17.1000+00 - </B> - Disabled feature `feature.B`
2017-08-02 12:12:18.1000+00 -        Fifth log message

... I want have the following vars in the result:

Message             | Feature.A | Feature.B
--------------------|-----------|----------
Some log message    | +         | -
Another log message | +         | -
Third log message   | +         | +
Fourth log message  | -         | +
Fifth log message   | -         | -

Is it possible to do in Splunk?

Answer 1

Yes, absolutely you can! It will take a little elbow grease to make this work

Below is a search to get you going in the right direction

index=blah sourcetype=blah | transaction startswith="Disabled feature" endswith="Enabled feature" | stats values(Feature.A) values(Feature.B) by Message

You could also use eval which will create a new field and give you the ability to assign variables within Splunk

A better approach would be to write the stateful information out to a text file each time it occurs then have Splunk do a lookup on that file and display the results. What's your end goal here? Are you looking to build a "living dashboard" showing the state of a feature?