https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467903#M131727 <P>After running some tests,<BR /> i made this schedule running every 30m.<BR /> Should, for now, make the "trick", next i monitor the process and (tranks to @to4kawa) plan to optimize with better SPL...</P> <PRE><CODE>tag=mytag host=server earliest=-3h|sort + _time|eventstats first(_time) as tSTART last(_time) as tEND|eval RANGE=round((tEND-tSTART)/60) |eval CHECK_START=if(match(_raw,"Job_Start"),_time,0) |eval CHECK_END=if(match(_raw,"Job_End"),_time,0) |stats max(CHECK_START) as START max(CHECK_END) as END last(RANGE) as RANGE |where START!=0 |eval DUR=round((END-START)/60)|eval PASS=round((now()-START)/60) |eval msg="" |eval msg=if( (START=0) AND (END=0),"INFO - NO Job_Start last "+RANGE,msg)|eval nota="already skipped with where above!" |eval msg=if( (START!=0) AND (END=0) AND (PASS&gt;120),"KO - Job_Start no Job_End after "+PASS,msg) |eval msg=if( (START!=0) AND (END!=0) AND (DUR&gt;120),"KO - Job_Start with Job_End after "+DUR,msg) |eval msg=if( (START!=0) AND (END!=0) AND (DUR&lt;=120),"OK - Job_Start with Job_End after "+DUR,msg) |where msg!="" |eval host="server"| eval source="mylog" |eval displaythis="LOG:"+source+"__"+msg+"__[test]" | eval TimeStamp=strftime(now(),"%Y%m%d.%H%M%S") | table TimeStamp host displaythis </CODE></PRE> <P>Surely i'm getting out of <EM>Best Practices</EM> for SPL... but if works, let's do it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> SPL is great... but could become very complex <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 09 Apr 2020 10:11:16 GMT verbal_666 2020-04-09T10:11:16Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467897#M131721 <P>I guys.<BR /> Recently i came in trouble to resolve the "puzzle" described in Title...</P> <P>What we need<BR /> 1) Trigger the "Job_Start", always<BR /> 2) Monitor its processation</P> <P>Variables<BR /> 1) "Job_Start" is dynamic, i can have it at 01:00 so at 04:30, 15:00 or 17:15 (and so on....h24): <STRONG>so "Job_Start" is the beginning point!!!</STRONG><BR /> 2) "Job_End" is the great variable: <EM>it could exists, as NOT AT ALL, and the focal point is to check if IT EXISTS in a range time of max 2h from "Job_Start"</EM></P> <P>What i originally did,</P> <PRE><CODE>tag=mytag host=server earliest=-3h |transaction maxspan=120m maxevents=-1 startswith="Job_Start" endswith="Job_End" host,source |[...........do all if statements by "duration" field] </CODE></PRE> <P>... ok, but what if Job never ends???</P> <PRE><CODE>tag=mytag host=server earliest=-3h |transaction maxspan=120m maxevents=-1 startswith="Job_Start" host,source |eval CHECK_END=if(match(_raw,"Job_End"),_time,"X") |[...........do all if statements by "duration" field plus "CHECK_END" variable] </CODE></PRE> <P>... ok, this is a good compromise to work...</P> <P>Now, what i really scheduled (every 15 minutes), after thinking of possible missing timings or other things...</P> <PRE><CODE>tag=mytag host=server earliest=-3h|sort + _time|eventstats first(_time) as tSTART last(_time) as tEND|eval RANGE=round((tEND-tSTART)/60) |eval CHECK_START=if(match(_raw,"Job_Start"),_time,"X") |eval CHECK_END=if(match(_raw,"Job_End"),_time,"X") |stats min(CHECK_START) as START min(CHECK_END) as END last(RANGE) as RANGE |where START!="X" |eval DUR=round((END-START)/60)|eval PASS=round((now()-START)/60) |eval msg=if( (START="X") AND (END="X"),"NO Job_Start last "+RANGE,msg)|eval nota="already skipped with where above!" |eval msg=if( (START!="X") AND (END="X") AND (PASS&gt;120),"Job_Start no Job_End after "+PASS,msg) |eval msg=if( (START!="X") AND (END!="X") AND (PASS&gt;120),"Job_Start with Job_End after "+DUR,msg) |eval host="server"| eval source="mylog" |eval displaythis="LOG:"+source+"__"+msg+"__[test]" | eval TimeStamp=strftime(now(),"%Y%m%d.%H%M%S") | table TimeStamp host displaythis </CODE></PRE> <P>... the schedule is running... still have to test its real effects...</P> <P>Now, some advice or help about what did above, and WHAT COULD BE DONE BETTER AND MORE EFFICIENTLY ?</P> Wed, 30 Sep 2020 04:53:32 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467897#M131721 verbal_666 2020-09-30T04:53:32Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467898#M131722 <P>... maybe there's already a little "bug", better so,</P> <PRE><CODE>|eval msg=if( (START!="X") AND (END!="X") AND (DUR&gt;120),"Job_Start with Job_End after "+DUR,msg) </CODE></PRE> <P>... anyway, waiting if the "process" is correct or there's one more efficent.<BR /> Thanks.</P> Tue, 07 Apr 2020 18:57:40 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467898#M131722 verbal_666 2020-04-07T18:57:40Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467899#M131723 <PRE><CODE>tag=mytag host=server earliest=-3h | reverse | streamstats count(eval(searchmatch("Job_Start"))) as session by host source | stats range(eval(if(searchmatch("Job_Start") OR searchmatch("Job_End"),_time,NULL))) as duration by session host source </CODE></PRE> <P>Try this and make eval function.<BR /> This query makes <CODE>duration</CODE> from <EM>Job_Start</EM> to <EM>Job_End</EM> (if exist) by each host and source.</P> <P>note: <CODE>duration</CODE> is sec.</P> Wed, 30 Sep 2020 04:58:43 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467899#M131723 to4kawa 2020-09-30T04:58:43Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467900#M131724 <P>Wow, very very interesting. The original "workaround" is running, i did some minimal change,</P> <PRE><CODE>tag=mytag host=server earliest=-3h|sort + _time|eventstats first(_time) as tSTART last(_time) as tEND|eval RANGE=round((tEND-tSTART)/60) |eval CHECK_START=if(match(_raw,"Job_Start"),_time,"X") |eval CHECK_END=if(match(_raw,"Job_End"),_time,"X") |stats min(CHECK_START) as START min(CHECK_END) as END last(RANGE) as RANGE |where START!="X" |eval DUR=round((END-START)/60)|eval PASS=round((now()-START)/60) |eval msg="" |eval msg=if( (START="X") AND (END="X"),"NO FileDiscoveryJob:95 last "+RANGE,msg)|eval nota="already skipped with where above!" |eval msg=if( (START!="X") AND (END="X") AND (PASS&gt;120),"FileDiscoveryJob:95 no AcquisitionAction:264 after "+PASS,msg) |eval msg=if( (START!="X") AND (END!="X") AND (DUR&gt;120),"FileDiscoveryJob:95 with AcquisitionAction:264 after "+DUR,msg) |where msg!="" |eval host="server"| eval source="mylog" |eval displaythis="LOG:"+source+"__"+msg+"__[test]" | eval TimeStamp=strftime(now(),"%Y%m%d.%H%M%S") | table TimeStamp host displaythis </CODE></PRE> <P>But you SPL is extremely efficient and advanced!!!<BR /> Many thanks, i'll test asap, and maybe do the right correlations with this.<BR /> Thnaks a lot, very kind!!!</P> Thu, 09 Apr 2020 08:08:50 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467900#M131724 verbal_666 2020-04-09T08:08:50Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467901#M131725 <P>I answered a lot, but this is the first time that I have been pleased like you.<BR /> Thank you very much　@verbal_666 </P> Thu, 09 Apr 2020 08:15:18 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467901#M131725 to4kawa 2020-04-09T08:15:18Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467902#M131726 <P>You're welcome man... thanks again <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> (very smart solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> )</P> Thu, 09 Apr 2020 08:34:31 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467902#M131726 verbal_666 2020-04-09T08:34:31Z https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467903#M131727 <P>After running some tests,<BR /> i made this schedule running every 30m.<BR /> Should, for now, make the "trick", next i monitor the process and (tranks to @to4kawa) plan to optimize with better SPL...</P> <PRE><CODE>tag=mytag host=server earliest=-3h|sort + _time|eventstats first(_time) as tSTART last(_time) as tEND|eval RANGE=round((tEND-tSTART)/60) |eval CHECK_START=if(match(_raw,"Job_Start"),_time,0) |eval CHECK_END=if(match(_raw,"Job_End"),_time,0) |stats max(CHECK_START) as START max(CHECK_END) as END last(RANGE) as RANGE |where START!=0 |eval DUR=round((END-START)/60)|eval PASS=round((now()-START)/60) |eval msg="" |eval msg=if( (START=0) AND (END=0),"INFO - NO Job_Start last "+RANGE,msg)|eval nota="already skipped with where above!" |eval msg=if( (START!=0) AND (END=0) AND (PASS&gt;120),"KO - Job_Start no Job_End after "+PASS,msg) |eval msg=if( (START!=0) AND (END!=0) AND (DUR&gt;120),"KO - Job_Start with Job_End after "+DUR,msg) |eval msg=if( (START!=0) AND (END!=0) AND (DUR&lt;=120),"OK - Job_Start with Job_End after "+DUR,msg) |where msg!="" |eval host="server"| eval source="mylog" |eval displaythis="LOG:"+source+"__"+msg+"__[test]" | eval TimeStamp=strftime(now(),"%Y%m%d.%H%M%S") | table TimeStamp host displaythis </CODE></PRE> <P>Surely i'm getting out of <EM>Best Practices</EM> for SPL... but if works, let's do it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> SPL is great... but could become very complex <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 09 Apr 2020 10:11:16 GMT https://community.splunk.com/t5/Splunk-Search/SPL-query-to-check-event-START-and-END-if-there-is/m-p/467903#M131727 verbal_666 2020-04-09T10:11:16Z