https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313443#M4295 <P>what do I need to do to get end time in the last event?</P> Wed, 22 Feb 2017 23:56:42 GMT sunitakesam 2017-02-22T23:56:42Z https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313440#M4292 <P>pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " |search script =test1 OR<BR /> script =test2 <BR /> | eval status=case( statusString=="exit", "success", statusString=="terminated", "failed", <BR /> 1=1, "Still in progress") <BR /> | eval JobName=case(script=="test1", "test1",<BR /> script=="test2", "test2",1=1, "unknown")<BR /> | eventstats min(_time) as start, max(_time) as end by pid , script <BR /> | search status="success" OR status="failed" <BR /> | table pid, script,JobName, status, start, end,duration<BR /> |convert mktime(start) as start mktime(end) as end<BR /> |eval duration=tostring((end-start),"duration") | eval start=strftime(start, "%Y/%m/%d %T.%3Q") <BR /> | eval end=strftime(end, "%Y/%m/%d %T.%3Q") | sort by start desc </P> <P>script ended successfully<BR /> Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script started<BR /> 2. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=calling wget without post parameter<BR /> 3. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=wget command exit code: 0<BR /> 4. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=data invoked<BR /> 5. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=HTTP code from server:0<BR /> 6. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Status will be updated in test.log<BR /> 7. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=<BR /> 8. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script exit normal</P> <P>Script still running</P> <OL> <LI>Date = 02/10/17 14:15:00,script = test2, id = 29251, log=Script started</LI> <LI>Date = 02/10/17 14:15:00,script = test2, id = 29251, log=calling wget without post parameter</LI> <LI>Date = 02/10/17 14:15:00,script = test2, id = 29251, log=wget command exit code: 0</LI> </OL> <P>Here statusString is extract feild value as 'started'/'exit notmal' i want to output as </P> <P>test1 success<BR /> test2 still running</P> Tue, 29 Sep 2020 12:56:57 GMT https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313440#M4292 sunitakesam 2020-09-29T12:56:57Z https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313441#M4293 <P>Give this a try</P> <PRE><CODE>pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR script =test2 | dedup script | eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed", 1=1, "Still in progress") | table script Status| rename script as JobName </CODE></PRE> Tue, 21 Feb 2017 20:59:19 GMT https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313441#M4293 somesoni2 2017-02-21T20:59:19Z https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313442#M4294 <P>Explanation:<BR /><BR /> 1) The dedup command, by default, will keep only the most recent record for each script. (Technically, it keeps the first record found, and they are retrieved with the most-recent first.) That's all you need for current status.<BR /> 2) Your code has only two possible values for script, so there's no need for the case statement setting JobName.</P> <P>So, somesoni2's code is the simplest that will get you the status of those two jobs.</P> <P>If you wanted start time, end time, and so on, then more code (and actually a different method) would be needed.</P> Tue, 21 Feb 2017 21:39:10 GMT https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313442#M4294 DalJeanis 2017-02-21T21:39:10Z https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313443#M4295 <P>what do I need to do to get end time in the last event?</P> Wed, 22 Feb 2017 23:56:42 GMT https://community.splunk.com/t5/Splunk-Dev/Please-help-in-merge-data/m-p/313443#M4295 sunitakesam 2017-02-22T23:56:42Z