how to write splunk query to create a dashboard

Question

I have a Splunk log which contains a message at different time stamp with some case number

"message":"Welcome home user case num 1ABCD-201901-765-2  UserId - 1203 XV - 543 UserAd - 76542 Elect - 5789875 Later Code - QWERZX"

In below log few log message also get printed at different timestamp if certain conditions are met

"message":"Passed First class case num 1ABCD-201901-765-2"

"message":"Failed First class case num 1ABCD-201901-765-2"

"message":"Passed Second class case num 1ABCD-201901-765-2"

"message":"Fully Failed case num 1ABCD-201901-765-2"

"message":"Saved case num 1ABCD-201901-765-2"

"message":"Not saved case num 1ABCD-201901-765-2"

"message":"Not user to us case num 1ABCD-201901-765-2"

I want to create a table in Splunk dashboard to view using Splunk query with these columns list all the case numbers with the details

Case Num | XV | UserId | UserAd | Elect | Later Code | Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us

How to print true and false for these columns  Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us I want to check for each case num whether the case num is present in those logs if its present then print true for that column else false

Answer 1

I'm going to presume you have no field extractions yet built (except for message) for the sample data you provided, and that - as provided - it's in the correct format (though, since it seems to be missing timestamps, I can tell something is likely amiss)

This should get you down the right road:

index=ndx sourcetype=srctp message=*
| rex field=message "Passed (?<passed_attempt>\w+)"
| rex field=message "Failed (?<failed_attempt>\w+)"
| rex field=message "case num (?<case_num>\S+)"
| rex field=message "(?<saved>Not saved)"
| rex field=message "(?<saved>Saved)"
| rex field=message "UserId - (?<userid>\w+)"
| rex field=message "XV - (?<xv>\w+)"
| rex field=message "UserAd - (?<userad>\w+)"
| rex field=message "Elect - (?<elect>\w+)"
| rex field=message "Later Code - (?<later_code>\w+)"
| fields passed_attempt failed_attempt _time case_num xv userid elect later_code saved userad
| stats max(_time) as _time values(*) as * by userid case_num

I've used separate regular expressions to pull the fields because they're easier to read - they may (or may not) be more performant to combine.