Splunk query to create a table view?

Question

This event is printed eveytime UserPin AreaCode AreaNum Sector Short Sem are unique for each userid and come only inside User Login successfully message with timestamp

"message":" *** User Login successfully credentials userid 2NANO-323254-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

Below these two event are only printed when certain conditions are meet. I am very new in Splunk like a naive, how can we write a Splunk query such that take out the userid with UserPin AreaCode AreaNum Sector Short Sem which have the below printed event then only create a table with userid. If below two message are not printed with userid from above message then we should not consider the userid

"message": "User Failed to login userid - 2NANO-323254-7654-4"

"message": "User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4"

this is table structure where i want to fill values

UserId | UserPin | AreaCode | AreaNum | Sector | Short_Sem

I am very new in splunk can someone guide how to start to build where to look for the thing. Any hint or demo will work. Thank you

Example

"message":" *** User Login successfully credentials userid 2NANO-323254-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

"message": "User Failed to login userid - 2NANO-323254-7654-4"

"message": "User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4"

"message":" *** User Login successfully credentials userid 2ABDO-54312-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

"message":" *** User Login successfully credentials userid 2COMA-765234-8653-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

So we consider first only because that userid have has two more event with same userid and associated all the event have timestamp

UserId              | UserPin| AreaCode | AreaNum | Sector   | Short_Sem
2NANO-323254-7654-4 | 287654 | 98765    | 98765   | 87612345 | ZEB

Answer 1

This question is an expansion of your question at how to write splunk query to create a table view so the answer is an expansion of that answer.

First, use rex to extract the desired fields. Then the stats command will group the results by userid. Finally, use the table command to display the fields.

| makeresults 
| eval data="\"message\":\" *** User Login successfully credentials userid 2NANO-323254-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB\"
    \"message\": \"User Failed to login userid - 2NANO-323254-7654-4\"
    \"message\": \"User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4\"
    \"message\":\" *** User Login successfully credentials userid 2ABDO-54312-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB\"
    \"message\":\" *** User Login successfully credentials userid 2COMA-765234-8653-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB\"" 
| eval data=split(data,"
") 
| mvexpand data 
| eval _raw=data 
```Everything above is for demo purposes only```
```Extract fields```
| rex "message\":\s*\"\s*(?:\*+\s)?(?<msg>.*?)(?:userid|,)"
| rex "userid\s(?:-\s)?(?<userid>\S+)" 
| rex "UserPin - (?<UserPin>\S+) AreaCode - (?<AreaCode>\S+) AreaNum - (?<AreaNum>\S+) Sector - (?<Sector>\S+) Short Sem - (?<Short_Sem>\S+)"
```Clean up the fields```
| eval userid=trim(userid,"\""), Short_Sem=trim(Short_Sem, "\"")
```Group results```
| stats values(*) as * by userid
```Filter events```
| search (msg="*User Failed to login*") OR (msg="*User is from stackoverflow group*")
| rename userid as UserId
| table UserId UserPin AreaCode AreaNum Sector Short_Sem