How to coalesce events with different values for s...

x213217 · ‎04-15-2019

I have this search that will display the following

index=autosys source= jobName=
| where statusText="SUCCESS" OR statusText="RUNNING" OR statusText="FAILURE" OR statusText="JOBFAILURE"
| eval startTime=if(statusText=="RUNNING",timestamp,null)
| eval failureTime=if(statusText=="FAILURE",timestamp,null)
| eval successTime=if(statusText=="SUCCESS",timestamp,null)
| streamstats last(successTime) as prev_successtime,last(failureTime) as prev_failuretime,last(startTime) as prev_startTime current=f window=1
| table jobName startTime successTime failureTime
| rename startTime as "Start Time" successTime as "Success Time" failureTime as "Failure Time"

I would like to have the most recent startTime match up with the latest SuccessTime or FailureTime in the same row. Is this possible?

woodcock · ‎04-15-2019

Just add this to the end:

| selfjoin jobName

You can also do this:

| stats values(*) AS * BY jobName

grittonc · ‎04-15-2019

Does this job only run once per day?

x213217 · ‎04-15-2019

this one in particular yes, but there will be ones that run on a variety of schedules

How to coalesce events with different values for status field?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...