- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need search help for server job monitoring use cas...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need search help for server job monitoring use case
I want to implement job monitoring use case. Check the events of a process from a particular server and display result as executed if events exists and if no events exists as not executed.
NOt all jobs are meant to execute on every day so there is a business schedule.
I have fed the schedule in look up file as below :
LOG Day
kenan_usage Sun
kenan_usage Mon
kenan_usage Tue
kenan_usage Wed
kenan_usage Thu
kenan_usage Fri
kenan_usage Sat
kenan_collections Sun
kenan_collections Mon
kenan_collections Tue
kenan_collections Wed
kenan_collections Thu
kenan_collections Fri
kenan_collections Sat
kenan_payment Mon
kenan_payment Tue
kenan_payment Wed
kenan_payment Thu
kenan_payment Fri
So when I write a search as "host="amsokennl01" | eval my_day=strftime(now(), "%a") | lookup job_schedule2 Day as my_day OUTPUT LOG | mvexpand LOG | where sourcetype=LOG |dedup LOG | append [ search host="amsokennl01" | eval my_day=strftime(now(), "%a") | lookup job_schedule2 Day as my_day OUTPUT LOG | mvexpand LOG | eval sourcetype1=sourcetype | where sourcetype1=LOG | stats count by sourcetype1 | fields + count sourcetype1 ] | table LOG sourcetype1 count "
its not giving me correct results.
Please help me the best way to implement this use case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm.
Here's how I'd approach this use case...
your base search that finds all jobs that ran on all days you are looking at
| fields _time jobname
| bin _time span =1d
| eval runstate="executed"
| appendpipe [ | stats values(_time) as rundays values(jobname) as jobname | eval runstate ="not executed" | mvexpand jobname | mvexpand rundays | rename rundays as _time]
| stats min(runstate) as runstate by jobname _time
| eval runday=strftime(_time,"%a")
| table _time runday jobname runstate
That will get you a table of every date in the date range where at least one job ran, and the executed or not executed status of each job on each day.
You can use your lookup table in between the first and second lines to eliminate any jobs you do not want to see.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.. This doesnot give me the sourcetype which has not executed I mean which donot have any events
host="amsokennl01" | fields _time sourcetype
| eval runstate="executed"
| appendpipe [ | stats values(_time) as rundays values(sourcetype) as sourcetype | eval runstate ="not executed" | mvexpand sourcetype | mvexpand rundays | rename rundays as _time]
| stats min(runstate) as runstate by sourcetype _time
| eval runday=strftime(_time,"%a") | dedup runday sourcetype runstate
| table runday sourcetype runstate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your final dataset supposed to look like? Give us a few events and then a mockup of the final output.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
