Hi Peeps,
I'm a newbie trialing Splunk. I have searched the forum. Apologies if this is a duplicate.
I have an application that logs events to a database. It does use an incremental counter as the primary key - making it ideal to use the Rising Column import into Splunk.
However, the events logged have a Status field which is binary - running or completed. The application will log an event as running, and after the event completes (as much as 10 - 15 minutes after commencing) it will update all the events and set the Status field to completed. Unfortunately, the application will also default a "Run Successfully" field to false until it completes and will only set the "Run Successfully" field to true at event completion.
I only want Splunk to retrieve the events that have a Status = completed.
If I just use the Rising Column method - Splunk will capture events not completed, meaning I will be creating false alerts if I raise alerts based on the "Run Successfully" field.
There is a date time field, however after reading articles like https://answers.splunk.com/answers/400221/why-is-using-a-timestamp-column-for-the-rising-col.html and other answers that ask you to "dedup" searches - I dont like the idea of using the date time stamp as the Rising Column and would like to avoid it if possible.
If I use the Status field in the SQL WHERE clause, Splunk will still increment the Rising Column it is looking for and so will miss the update. I did see an article mentioning the use of a lookup, but there were no details on how to do so.
... View more