How to write a Splunk search to get to a field val...

sekhar463 · ‎12-26-2022

Good day,

i am using search query to correlate one field belongs and related jobs for that field

i am using below query using transaction but i am trying to get unique value for one field but values are missing for other fields also.

correct my query

as my output expecting is in the table name of the BOX_NAME with one unque value and respective JOB_NAME under BOX_NAME

index=indexname sourcetype=sourcetypename
| eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| transaction BOX_NAME
| table BOX_NAME,JOB_NAME,JOB_GROUP,REGION,TIMEZONE,STATUS,Currenttime,STATUS_TIME,LAST_START,LAST_END,NEXT_START,DAYS_OF_WEEK,EXCLUDE_CALENDAR,RUNTIME,Actualstarttime,Job_start_by,START_SLA,AVG_RUN_TIME

gcusello · ‎12-26-2022

Hi @sekhar463,

transaction command is usually very slow, and muste be used as last chance, please try something like this:

index=indexname sourcetype=sourcetypename
| eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| stats 
   values(JOB_NAME) AS JOB_NAME
   values(JOB_GROUP) AS JOB_GROUP
   values(REGION) AS REGION
   values(TIMEZONE) AS TIMEZONE
   values(STATUS) AS STATUS
   values(Currenttime) AS Currenttime
   values(STATUS_TIME) AS STATUS_TIME
   values(LAST_START) AS LAST_START
   values(LAST_END) AS LAST_END
   values(NEXT_START) AS NEXT_START
   values(DAYS_OF_WEEK) AS DAYS_OF_WEEK
   values(EXCLUDE_CALENDAR) AS EXCLUDE_CALENDAR
   values(RUNTIME) AS RUNTIME
   values(Actualstarttime) AS Actualstarttime
   values(Job_start_by) AS Job_start_by
   values(START_SLA) AS START_SLA
   values(AVG_RUN_TIME) AS AVG_RUN_TIME
   BY BOX_NAME

Ciao.

Giuseppe

How to write a Splunk search to get to a field value that belongs to particular field?

data

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio