Reputation: 121
how to write splunk query to create a dashboard
I have a Splunk log which contains a message at different time stamp with some case number
"message":"Welcome home user case num 1ABCD-201901-765-2 UserId - 1203 XV - 543 UserAd - 76542 Elect - 5789875 Later Code - QWERZX"
In below log few log message also get printed at different timestamp if certain conditions are met
"message":"Passed First class case num 1ABCD-201901-765-2"
"message":"Failed First class case num 1ABCD-201901-765-2"
"message":"Passed Second class case num 1ABCD-201901-765-2"
"message":"Fully Failed case num 1ABCD-201901-765-2"
"message":"Saved case num 1ABCD-201901-765-2"
"message":"Not saved case num 1ABCD-201901-765-2"
"message":"Not user to us case num 1ABCD-201901-765-2"
I want to create a table in Splunk dashboard to view using Splunk query with these columns list all the case numbers with the details
Case Num | XV | UserId | UserAd | Elect | Later Code | Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us
How to print true and false for these columns Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us I want to check for each case num whether the case num is present in those logs if its present then print true for that column else false
Upvotes: 1
Views: 857
Answers (1)
Reputation: 33453
I'm going to presume you have no field extractions yet built (except for message) for the sample data you provided, and that - as provided - it's in the correct format (though, since it seems to be missing timestamps, I can tell something is likely amiss)
This should get you down the right road:
index=ndx sourcetype=srctp message=*
| rex field=message "Passed (?<passed_attempt>\w+)"
| rex field=message "Failed (?<failed_attempt>\w+)"
| rex field=message "case num (?<case_num>\S+)"
| rex field=message "(?<saved>Not saved)"
| rex field=message "(?<saved>Saved)"
| rex field=message "UserId - (?<userid>\w+)"
| rex field=message "XV - (?<xv>\w+)"
| rex field=message "UserAd - (?<userad>\w+)"
| rex field=message "Elect - (?<elect>\w+)"
| rex field=message "Later Code - (?<later_code>\w+)"
| fields passed_attempt failed_attempt _time case_num xv userid elect later_code saved userad
| stats max(_time) as _time values(*) as * by userid case_num
I've used separate regular expressions to pull the fields because they're easier to read - they may (or may not) be more performant to combine.
Upvotes: 0
Related Questions
- Using stats with a base query
- Splunk query for showing day wise percentage
- Splunk - Add numeric columns and display only that result
- Splunk: Combining multiple chart queries to get a single table
- Query to extract data
- Splunk - Create customized query for Splunk dashboard based on Input selection
- Splunk base search on dashboard and post processing the results
- How Can I Generate A Visualisation with Multiple Data Series In Splunk
- How to make a Splunk Dashboard dynamic?
- Is it possible to make a dynamic splunk dashboard?