Splunk Search

Eval search help... can't seem to get it right.

kj384g
New Member

Hello,

I am somewhat new to splunk but I am having issues creating a table for a search I am doing and I need assistance please.

Example log:

vip:vip_name_goes_here dns_response:0.008 http_code:200 time_total:0.523 url_effective:url_goes_here:80

Search query I am trying to execute:

index=* host=kjones* sourcetype="viphealth" | eval http_code="http_code:" | eval vip="vip:" | eval dns_response="dns_response:" | eval time_total="time_total:" | eval url_effective="url_effective" | table vip dns_response http_code time_total url_effective

I know its wrong but how do I evaluate the sources defined in the log above? I have the ability to change the output of the log to different interesting fields if needed. I just want a table that will give me stats of all logs for these type.

Example of how I want table to show:

vip dns_response http_code time_total url_effective
vip:vip_name_goes_here dns_response:0.008 http_code:200 time_total:0.523 url_effective:url_goes_here

Thanks for any help you can be.

Tags (2)
0 Karma
1 Solution

denisevw
Path Finder

Hi there

Have you done any extractions from your events as yet?

View solution in original post

0 Karma

denisevw
Path Finder

Hi there

Have you done any extractions from your events as yet?

0 Karma

kj384g
New Member

That fixed it thanks! I didn't know how to extract fields.

0 Karma

kj384g
New Member

Hello,

Thanks for the reply.

No. I am not sure how to do that? Would I need to use the rex command?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...