I have a script that writes data that looks like this to a log file.
I have this search:
host=sfo-app-dev-001 terminating OR new_hire OR rehire OR "changes supervisor"
and I get these results:
"2020-04-08 17:34:53,589:INFO: User id 135062 (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42", ...
...
"2020-04-08 17:34:53,574:INFO: User id 854526 (loovkosg) changes supervisor from eisetpl/id=446070 to fakesuper/id=42", ...
"2020-04-08 17:34:52,892:INFO: rehire pabisanh.", ...
...
"2020-04-08 17:34:52,891:INFO: rehire dadhre.", ...
"2020-04-08 17:34:52,214:INFO: new_hire grdorimg.", ...
...
"2020-04-08 17:34:52,214:INFO: new_hire bokdtaua.", ...
"2020-04-08 17:34:51,514:INFO: terminating hluhsha", ...
...
"2020-04-08 17:34:51,496:INFO: terminating auamjmo", ...
I would like to generate a report that puts the all the terminated users, new hire users, re-hired users and supervisor changes into a report that has columns for the terminated users, new hire, re-hires and supervisor changes.
(Sorry for the crappy formatting)
Terminations New Hires Re-hires Super Changes
| hluhsha | grdorimg | pabisanh | (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42 |
| auamjmo | bokdtaua | wjtorkuo | (forecscf) changes supervisor from bucreah/id=62931 to fakesuper/id=42 |
| arkgmu2i | tsoh | - | (kaprsaer) changes supervisor from cstiobs/id=127168 to fakesuper/id=42 |
| ivargda | lkrnluei | | (nfntecoo) changes supervisor from arhreinn/id=561422 to fakesuper/id=42 |
| | ontaguh | | |
| | oaomkha | | |
I have tried this search:
host=sfo-app-dev-001 terminating OR new_hire OR rehire OR "changes supervisor" | table term_users newhires rehires super_changes
But I really do not understand how to create custom fields.
I have tried to use the "Extract New Fields" wizard but cannot seem to get it to do what I need.
rex
can extract new field.
sample:
| makeresults
| eval _raw="raw
2020-04-08 17:34:53,589:INFO: User id 135062 (hgevpsar) changes supervisor from klaurns/id=14654 to fakesuper/id=42, ...
2020-04-08 17:34:53,574:INFO: User id 854526 (loovkosg) changes supervisor from eisetpl/id=446070 to fakesuper/id=42, ...
2020-04-08 17:34:52,892:INFO: rehire pabisanh., ...
2020-04-08 17:34:52,891:INFO: rehire dadhre., ...
2020-04-08 17:34:52,214:INFO: new_hire grdorimg., ...
2020-04-08 17:34:52,214:INFO: new_hire bokdtaua., ...
2020-04-08 17:34:51,514:INFO: terminating hluhsha, ...
2020-04-08 17:34:51,496:INFO: terminating auamjmo, ..."
| multikv
| rename COMMNET as "this is sample. from here, the logic"
| rex "(?<date>.*):INFO"
| eval _time=strptime(date,"%F %T,%3N")
| rex "(?<status>rehire|new_hire|terminating)\s(?<user>\w+)"
| rex "User id (?<user_id>\d+)\s\((?<user>\w+)\) changes (?<status>supervisor)"
| table _time user status user_id _raw
and
....
| stats values(user) as user count as total by status
| xyseries total status user
| fields - total
Is the report like this?
What connects termination, new hires, and re-hires to super changes?