log file:testscripts.log
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=Script started
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=calling wget without post parameter
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=wget command exit code: 0
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=data invoked
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=HTTP code from server:0
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=Status will be updated in test.log
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=Script exit normal
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=Script started
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=calling wget without post parameter
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=wget command exit code: 0
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=data invoked
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=HTTP code from server:0
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=Status will be updated in test.log
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=
Date = 02/10/17 14:15:00,script = testscript, id = 29251, log=Script terminated
i need data with fields with id,script,status,duration,start time and end time and it should be group by id..
i don't understand how to modify below search to get status based on last line log with script terminated or script exit normal.
id script status host=d* script=test*
| stats min(_time) as start, max(_time) as end by id , script
| eval duration=end-start | eval start=strftime(start, "%Y/%m/%d %T.%3Q")
| eval end=strftime(end, "%Y/%m/%d %T.%3Q")
| sort by start desc join id [ search script in (test*) | eval status=if(log=='Script exit normal', 'success', 'failed')]
... View more