I have a job that runs and deletes data from a data base. After it deletes the data it outputs which days it deleted which table in a log of the form:
**start of A**
ODATE=2017-05-05
PurgeDate="2017-04-14,2017-04-15"
TableName=A
**start of B**
ODATE=2017-05-05
PurgeDate="2017-04-10"
TableName=B
The file gets split into multple logs, one for each Table. How can I have a chart/table/dashboard that tells me the last X days that have been purged for each table?
Give this a try
your base search
| makemv delim="," PurgeDate | mvexapnd PurgeDate
| eval _time=strptime(PurgeDate,"%Y-%m-%d")
| timechart span=1d count by TableName
Hi Splunkster45,
To reach you goal you have to do some steps (probably someone of them already done)
1 ingest logs
download an example of you file and find the correct sourcetype using the Splunk web interface
it should be something like this
[your_sourcetype]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\*\*start\sof\s\w+\*\*
TIME_FORMAT=%Y-%m-%d
TIME_PREFIX=ODATE\=
MAX_TIMESTAMP_LOOKAHEAD=10
2 run a search
run a serch like the following example
index=your_index sourcetype=your_sourcetype
| makemv delim="," PurgeDate
| table _time TableName PurgeDate
Bye.
Giuseppe
your search here | stats values(PurgeDate) by TableName
should show a table with each TableName and the dates that they have been purged
Give this a try
your base search
| makemv delim="," PurgeDate | mvexapnd PurgeDate
| eval _time=strptime(PurgeDate,"%Y-%m-%d")
| timechart span=1d count by TableName
This largely worked for me. However, after 10 results tables, it combined all of the other tables into the category "other." Is there a way to increase this limit?
You can add a parameter called limit in the timechart command which limits the number of columns generated.
| timechart span=1d limit=50 count by TableName