Deployment Architecture

how to find the immediate next passed build from the current failed build.

anooshac
Communicator

Hi all,
I have json file for each of the builds of jenkins. I want to calculate the Mean time to recovery , that is time taken from a failed build to the next immediate passed build. I listed all the failed builds but i am not getting to get the value of the next passed build. Can anyone please help me in this!

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval raw="{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"PASS\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"2\",
\"JOB_TIME\" : \"10/2/2020\",
\"JOB_STATUS\" : \"PASS\",
\"JOB_DURATION\" : \"239\"
    }" 
| eval host = "foo"
| makemv delim=":::" raw 
| mvexpand raw 
| rename raw AS _raw 
| kv 
| streamstats count AS _serial 
| eval _time = _time - _serial 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| streamstats count(eval(JOB_STATUS=="PASS")) AS SessionID BY host JOB_NUM 
| stats dc(JOB_STATUS) AS outcomes range(_time) AS recoveryTime BY SessionID host JOB_NUM 
| where outcomes>1 
| stats avg(recoveryTime) AS MTTR 
| fieldformat MTTR = tostring(MTTR, "duration")

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval raw="{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"PASS\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
    }:::{
\"JOB_NUM\" : \"2\",
\"JOB_TIME\" : \"10/2/2020\",
\"JOB_STATUS\" : \"PASS\",
\"JOB_DURATION\" : \"239\"
    }" 
| eval host = "foo"
| makemv delim=":::" raw 
| mvexpand raw 
| rename raw AS _raw 
| kv 
| streamstats count AS _serial 
| eval _time = _time - _serial 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| streamstats count(eval(JOB_STATUS=="PASS")) AS SessionID BY host JOB_NUM 
| stats dc(JOB_STATUS) AS outcomes range(_time) AS recoveryTime BY SessionID host JOB_NUM 
| where outcomes>1 
| stats avg(recoveryTime) AS MTTR 
| fieldformat MTTR = tostring(MTTR, "duration")
0 Karma

anooshac
Communicator

Hi @woodcock , i'm sorry, there was some issue with the data. Thanks a lot for the response!!

woodcock
Esteemed Legend

Generally, like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
| streamstats count(eval(FieldNameForOutcome=="FieldValueForSuccess")) AS SessionID BY host FieldNameForJobID And Other FIelds Here
| stats dc(FieldNameForOutcome) AS outcomes range(_time) AS recoveryTime BY SessionID host FieldNameForJobID And Other Fields Here
| where outcomes>1
| stats avg(recoveryTime) AS MTTR
| fieldformat MTTR = tostring(MTTR, "duration")
0 Karma

woodcock
Esteemed Legend

Never mind. I did your homework for you, too. See my new answer (and see how it is EXACTLY the same as this answer).

0 Karma

anooshac
Communicator

hi @woodcock, Thanks for the response! I don't know why am i getting no results found to this query.

0 Karma

woodcock
Esteemed Legend

You understand that I made up all of the field names and values, right?

0 Karma

sumanssah
Communicator

Please try this

for shared sample log

| makeresults 
 | eval json = "{
\"JOB_NUM\" : \"1\",
\"JOB_TIME\" : \"1/1/2020\",
\"JOB_STATUS\" : \"FAIL\",
\"JOB_DURATION\" : \"304\"
}"  
  | rex "(?<json>\{.+)" | spath input=json | fields - json

For production, try

<your base search>  | rex "(?<json>\{.+)" | spath input=json | fields - json
0 Karma

anooshac
Communicator

Hi @sumanssah , it gives table with all the fields. I want to get the immediate passed JOB_NUM which to the failed one.

0 Karma

sumanssah
Communicator

If you can add a sample log, would be easy for all to provide SPL.

0 Karma

anooshac
Communicator

hi @splnsuman , below are some sample json files that i'm using.
P1_job.json
{
"JOB_NUM" : "1",
"JOB_TIME" : "1/1/2020",
"JOB_STATUS" : "FAIL",
"JOB_DURATION" : "304"
}

P2_job.json
{
"JOB_NUM" : "2",
"JOB_TIME" : "10/2/2020",
"JOB_STATUS" : "PASS",
"JOB_DURATION" : "239"
}

Like this there are many files for each of the build.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...