Splunk Dev

Please help in merge data

sunitakesam
New Member

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " |search script =test1 OR
script =test2
| eval status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| eval JobName=case(script=="test1", "test1",
script=="test2", "test2",1=1, "unknown")
| eventstats min(_time) as start, max(_time) as end by pid , script
| search status="success" OR status="failed"
| table pid, script,JobName, status, start, end,duration
|convert mktime(start) as start mktime(end) as end
|eval duration=tostring((end-start),"duration") | eval start=strftime(start, "%Y/%m/%d %T.%3Q")
| eval end=strftime(end, "%Y/%m/%d %T.%3Q") | sort by start desc

script ended successfully
Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script started
2. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=calling wget without post parameter
3. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=wget command exit code: 0
4. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=data invoked
5. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=HTTP code from server:0
6. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Status will be updated in test.log
7. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=
8. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script exit normal

Script still running

  1. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=Script started
  2. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=calling wget without post parameter
  3. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=wget command exit code: 0

Here statusString is extract feild value as 'started'/'exit notmal' i want to output as

test1 success
test2 still running

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2 
| dedup script 
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed", 
1=1, "Still in progress") 
| table script Status| rename script as JobName

View solution in original post

0 Karma

sunitakesam
New Member

what do I need to do to get end time in the last event?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2 
| dedup script 
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed", 
1=1, "Still in progress") 
| table script Status| rename script as JobName
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Explanation:

1) The dedup command, by default, will keep only the most recent record for each script. (Technically, it keeps the first record found, and they are retrieved with the most-recent first.) That's all you need for current status.
2) Your code has only two possible values for script, so there's no need for the case statement setting JobName.

So, somesoni2's code is the simplest that will get you the status of those two jobs.

If you wanted start time, end time, and so on, then more code (and actually a different method) would be needed.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...