- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to do a subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following query
and the following is a result, for a particular run of a process it creates muiltiple such results as below depending on how many reports are present in the batch. So from the below "bz9mf-37v-qgt" is the processID which is common in the two search resutls. I want to extract the FileName from one result and ProcessingTime from the other result
bz9mf-37v-qgt Filename Processingtime
this should be my output can someone please help?
1 » 12/7/12
9:35:31.572 AM 2012-12-07 09:35:31,572 INFO [cdpbAbnamro:RunFiber (120279:3011)] Deliverator.2106 (bz9mf-37v-qgt) (x-rmg-job:bz9mf-37p-uug#tag:2012-12-07:1354872928990) [Normal] bz9mf-37p-uug [Event/Other/ReportDetail] [DeliveryTime=2012-12-07 09:35:31.0, FileName=hfpositions.20121207.CreditExposure.5D, ReportingResultId=workflow@abnamro.com@hfpositions.20121207.CreditExposure.5D, Status=DELIVERED]
2 » 12/7/12
9:35:31.568 AM 2012-12-07 09:35:31,568 INFO [reporting-process-manager:CreateReportingResult (140962:1398)] AuditFilter.1943 (bz9mf-37v-qgt) (x-rmg-job:bz9mf-37p-uug#tag:,2012-12-07:cdpbAbnamro,1354872929872) [Audit] End [Event/End/OperationEnd] [Action=urn:RiskMetricsDirect:1.0:reporting-process-manager:CreateReportingResult, CPU=20, IO=655, ProcessingTime=1501, ServiceTime=1492, Size=1360]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you could just use stats.
... | stats first(Filename) as Filename, first(Processingtime) as Processingtime by processID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you could just use stats.
... | stats first(Filename) as Filename, first(Processingtime) as Processingtime by processID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great Worked fine!!! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I have extracted these fields but as I said I want to join the two results based on the processid, as I asid its not just these two rows , for a client there are many rows (two each for a particular processID) depending on number or reports so
basically output in a single row would be
Process ID1 Processingtime1
Process ID1 filename1
Process ID2 Processingtime2
Process ID2 filename2
..
lets say there are 12 rows in actual result, I want to reduce to 6
Process ID1 Processingtime1 filename1
Process ID2 Processingtime2 filename2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you extracted the relevant fields (processId, Filename, Processingtime)? I'm not sure why you'd particularly want to use a subsearch for solving this.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
