pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " |search script =test1 OR
script =test2
| eval status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| eval JobName=case(script=="test1", "test1",
script=="test2", "test2",1=1, "unknown")
| eventstats min(_time) as start, max(_time) as end by pid , script
| search status="success" OR status="failed"
| table pid, script,JobName, status, start, end,duration
|convert mktime(start) as start mktime(end) as end
|eval duration=tostring((end-start),"duration") | eval start=strftime(start, "%Y/%m/%d %T.%3Q")
| eval end=strftime(end, "%Y/%m/%d %T.%3Q") | sort by start desc
script ended successfully
Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script started
2. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=calling wget without post parameter
3. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=wget command exit code: 0
4. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=data invoked
5. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=HTTP code from server:0
6. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Status will be updated in test.log
7. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=
8. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script exit normal
Script still running
Here statusString is extract feild value as 'started'/'exit notmal' i want to output as
test1 success
test2 still running
Give this a try
pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2
| dedup script
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| table script Status| rename script as JobName
what do I need to do to get end time in the last event?
Give this a try
pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2
| dedup script
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| table script Status| rename script as JobName
Explanation:
1) The dedup command, by default, will keep only the most recent record for each script. (Technically, it keeps the first record found, and they are retrieved with the most-recent first.) That's all you need for current status.
2) Your code has only two possible values for script, so there's no need for the case statement setting JobName.
So, somesoni2's code is the simplest that will get you the status of those two jobs.
If you wanted start time, end time, and so on, then more code (and actually a different method) would be needed.