Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search, extract and table fields from deployment object log events

chrismok
Path Finder
‎09-13-2014 01:52 AM

Currently, I get some deployment object log event like this

App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920

How can I handle this structure to a row as the following result

Module | Start Date| Elapse Time| Status|
App1 ,20140911.0933.5920, 00:00:13 | Success
App2, 20140911.0943.1231, 00:00:13 | Success
App2, 20140911.0934.5920, -- | In Progress

Tags (3)
0 Karma
Reply

kml_uvce
Builder
‎09-14-2014 03:22 AM

your data is not constant and any app may come in next line... so better to break event in every new line.
then extract fields from every event like this for App1(if there is no field in iin any event then it will be empty)
module=App1
start_date=20140911.0933.5920
elapse_time=13.708
status=success

use this search
|transaction module

Hope this will help for you

0 Karma
Reply

chrismok
Path Finder
‎09-15-2014 04:06 AM

I am not sure how to write this query as I am beginning-er in Splunk.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-14-2014 01:25 AM

Is this really one event, or three? In other words this is about three different app actions -- does it make sense to store it as one event for other reasons?

Do you know how many app items will be in your events ahead of time?

0 Karma
Reply

chrismok
Path Finder
‎09-14-2014 01:45 AM

Hi Jrodman,

Basically, there is not the one event.

Once the deployment is starting, all deployment programs will write the log to the C:\Deployment Log\build.log.

As a result, I won't know how many app items in the deployment.

In additional, most than one app will deploy in this time, so I cannot use LINE_BREAKER in props.conf

The log may look like that 

 App1.start=20140911.0933.5920
 App2.start=20140911.0933.5920
 App1.upload=success
 App1.upload.time=13.708 sec
 App2.upload=success
 App3.start=20140911.0934.5920
 App2.upload.time=13.708 sec
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...