- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Please help in merge data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " |search script =test1 OR
script =test2
| eval status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| eval JobName=case(script=="test1", "test1",
script=="test2", "test2",1=1, "unknown")
| eventstats min(_time) as start, max(_time) as end by pid , script
| search status="success" OR status="failed"
| table pid, script,JobName, status, start, end,duration
|convert mktime(start) as start mktime(end) as end
|eval duration=tostring((end-start),"duration") | eval start=strftime(start, "%Y/%m/%d %T.%3Q")
| eval end=strftime(end, "%Y/%m/%d %T.%3Q") | sort by start desc
script ended successfully
Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script started
2. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=calling wget without post parameter
3. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=wget command exit code: 0
4. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=data invoked
5. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=HTTP code from server:0
6. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Status will be updated in test.log
7. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=
8. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script exit normal
Script still running
- Date = 02/10/17 14:15:00,script = test2, id = 29251, log=Script started
- Date = 02/10/17 14:15:00,script = test2, id = 29251, log=calling wget without post parameter
- Date = 02/10/17 14:15:00,script = test2, id = 29251, log=wget command exit code: 0
Here statusString is extract feild value as 'started'/'exit notmal' i want to output as
test1 success
test2 still running
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2
| dedup script
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| table script Status| rename script as JobName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do I need to do to get end time in the last event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2
| dedup script
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| table script Status| rename script as JobName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Explanation:
1) The dedup command, by default, will keep only the most recent record for each script. (Technically, it keeps the first record found, and they are retrieved with the most-recent first.) That's all you need for current status.
2) Your code has only two possible values for script, so there's no need for the case statement setting JobName.
So, somesoni2's code is the simplest that will get you the status of those two jobs.
If you wanted start time, end time, and so on, then more code (and actually a different method) would be needed.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
