Hi, im newbie for splunk enterprise
I had a log file for windows firewall that I already point to Splunk via universal forwarder and splunk read as per below:
11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 58.139.24.118 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall
11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 114.133.193.1 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall**
I just want to create a table form this log where I need to split variable like source IP, destination IP and time. I had try to used pivot function but the variable it not shown for those i need.
Have you done any field extractions or are you using a Technology Addon (TA) that is giving you any field extractions? If not, that is your first problem. Once you have the field extractions, you can simply display a table of the data with:
<your_base_search> | table *
or you can define which of the fields you want displayed in your table with:
<your_base_search> | table field, field2, field3
But you do have to have fields being extracted for either of these to do anything useful. Here is a useful document to get you started in creating your own automatic field extraction:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the field is not displayed only for a specific user, I think that it is a matter of authority. Please check the permission setting of field extraction.
Fields » Field extractions
OR
Fields » Field transformations
What can not be displayed?
Is it a field? Is it a pivot table?
it is a Field...