Splunk Search

how to create a report table with fields AND the original event together?

maverick
Splunk Employee
Splunk Employee

I would like to create a report table where the first column is the time stamp, followed by columns for pid, process, and host, and finally, as the last column, I would like the entire original event as a reference.

So the columns will look like this, _time | pid | process | host | _raw

Working with timechart command, I find that "values" function does not seem to work, and with the "fields" or "table" commands, I find that they do not recognize Splunk's _time or _raw fields, which means I cannot get the timestamp nor the original event listed as columns in my table.

I'm sure I someone has done this, or knows a way to create a report table like I want.

maverick
Splunk Employee
Splunk Employee

I would use the convert command to format the _time field into a field to work with, and then use stats command with a list() function while the fields you want (and rename the fields as their same names) and finally split by _raw, such that you get an event for each single event in your result set. (Also, I might pipe to deduce command first to make sure you don't get duplicate events listed multiple times within the same report row.)

Here is an example search string to try (assuming you are working with syslog event types):

sourcetype=syslog  | dedup _raw | convert ctime(_time) as thetime | stats list(thetime) as "timestamp", list(pid) as pid, list(process) as process, list(_raw) as event by _raw

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...