Splunk Search

Why is the below query not working?

abhi04
Communicator

I have to list the Job_Name orderid Start_Time End_Time. i am using the below query but not getting the values for End_Time. can someone help me with this.

index="auto_prod_ctm"  sourcetype=daily_ctmag_sa_batch_log "STARTED" earliest=-30m |rex field=_raw "JOB (?.*) \(O"
| rex field=_raw "ORDERID (?[^,]+)"| eval Start_Time=strftime(_time,"%d/%m/%Y %I:%M:%S")|append [search index="auto_prod_ctm" sourcetype=daily_ctmag_sa_batch_log "ENDED OK" earliest=-30m |rex field=_raw "JOB (?.*) \(O" | rex field=_raw "ORDERID (?[^,]+)"|eval End_Time=strftime(_time,"%d/%m/%Y %I:%M:%S")] | table Job_Name orderid Start_Time End_Time
Tags (1)
0 Karma

HiroshiSatoh
Champion

In such a case, it is good to use the transaction command.

 index="auto_prod_ctm"  sourcetype=daily_ctmag_sa_batch_log  earliest=-30m 
|rex field=_raw "JOB (?.*) \(O" | rex field=_raw "ORDERID (?[^,]+)"
| transaction Job_Name orderid startswith="STARTED" endswith="ENDED OK"
0 Karma

poete
Builder

Hi,

you could join the two searches using the Job_Name and/or orderid information.
Please check:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Join

0 Karma

FrankVl
Ultra Champion

Start_Time and End_Time come from separate events. Just peforming a table command doesn't merge taht into a single line with both Start_Time and End_Time populated.

Try replacing the | table Job_Name orderid Start_Time End_Time with | stats values(Start_Time) as Start_Time values(End_Time) as End_Time by Job_Name,orderid.

If that doesn't solve it:
1. Please edit your question and put the search code in as code (using the 101010 button), otherwise it is hard to read and also some special characters will disappear
2. Please share sample events

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...