Hi there,
I'm wondering if it's possible to format a Splunk query like so:
IF results contains "this string" THEN use these formatting commands OR
IF results contains "a different string" THEN use these formatting commands
And if possible pull them all together in one table.
If it makes it easier to explain, I will try and use network logs as an example
e.g. say the logs are as follows:
scrip=10.0.0.1 08/31/2018 11:23:34 PM (GMT)
scrip=10.0.0.2 07-09-2018 23:33:57
index=network scrip=10.0.0.1 | convert time format OR index=network scrip=10.0.0.2 | different time format conversion | table bothtimeconversion
Ideally the final table would look like this:
scrip bothtimeconversion
10.0.0.1 09/07/2018 23:23:34
10.0.0.2 31/08/2018 23:33:57
I have already sorted the time conversion format, it's essentially how I would structure the different commands based on the different source IP.
Thank you in advance
↧