how to write splunk query to create a table view

Question

I have log in Splunk which contains a message in a sequence order

"message":" ---Abroad country is good COUNTRYID - GERMAN9876-er4-22"

"message":" ---Abroad country is good COUNTRYID - GERMAN9876-er4-23"

"message":" ---Abroad country is good COUNTRYID - GERMAN9876-er4-24"

I want to create a table in Splunk dashboard to view using Splunk query with these columns list all the case numbers with the details

COUNTRYID
GERMAN9876-er4-22
GERMAN9876-er4-23
GERMAN9876-er4-24

I am very new in splunk can someone guide how to start to build where to look for the thing. Any hint or demo will work. Thank you

Is `COUNTRYID` already defined as a field? If so, it's just `table COUNTRYID`. — PM 77-1, Feb 04 '22 at 15:54
@PM77-1 there multiple places where ```COUNTRYID``` is mentioned but i am looking for this string only — SingUser, Feb 04 '22 at 16:11
Your result has 2 rows. Does it mean that there was one more event? If so, please post sample source data and the desired result, — PM 77-1, Feb 04 '22 at 17:28

PM 77-1 · Accepted Answer · 2022-02-04T20:55:49.580

0

You will need to use rex to isolate the desired field:

index=<your search>
| rex "\"message\":\" ---Abroad country is good COUNTRYID - (?<CountryID>[\w-]+)\""
| table CountryID

The above is untested.

edited Feb 04 '22 at 20:55

answered Feb 04 '22 at 17:46

PM 77-1

To avoid the need for extra escape characters, the `rex` command can be shortened. `| rex "COUNTRYID - (?[\w-])"` – RichG Feb 04 '22 at 18:21
@RichG - In response to my comment OP stated that "*there multiple places where `COUNTRYID` is mentioned but i am looking for this string only*", so I decided to use the full string. – PM 77-1 Feb 04 '22 at 18:37
Good point. In that case, the embedded quotes need triple-backslashes. – RichG Feb 04 '22 at 18:54
@RichG - I never had to it before. – PM 77-1 Feb 04 '22 at 20:06
This is something Splunk regex users have complained about for some time, but I just ran a test and, sure enough, a single backslash works. I wonder when that changed. I did discover the `rex` command needs a '+' after the ']', however. – RichG Feb 04 '22 at 20:19
@RichG: Yes, absolutely. Fixed. – PM 77-1 Feb 04 '22 at 20:56
@PM77-1 can you have a look once https://stackoverflow.com/questions/71054620/splunk-query-to-create-a-table-view – SingUser Feb 09 '22 at 18:10
@RichG can you have a look once https://stackoverflow.com/questions/71054620/splunk-query-to-create-a-table-view – SingUser Feb 09 '22 at 18:10

1 Answers1