https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451821#M173195 <P>Hi how do you say that the log has failed? is there a status field or is there any search term?<BR /> also put your query in <CODE>101010</CODE> sample code .</P> Mon, 04 Feb 2019 11:43:09 GMT mayurr98 2019-02-04T11:43:09Z https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451820#M173194 <P>I'm creating oracle RMAN chart and need the status when failed then the status should be 1 normally it should be 0.<BR /> For example,</P> <P>index="oracle" BKUPTYPE OR ORACLE_NAME OR Starting OR complete | transaction source | rex "ORACLE_NAME\s*:\s*(?\w+)" | rex "BKUPTYPE\s*:\s*(?\w+)" | where BKUPTYPE != "ARCHIVE" | EVAL name_type = ORACLE_NAME+"_"+BKUPTYPE | EVAL duration=duration*1000 | EVAL status=??? | table _time, name_type, status, duration</P> Tue, 29 Sep 2020 23:08:40 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451820#M173194 shiranaka 2020-09-29T23:08:40Z https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451821#M173195 <P>Hi how do you say that the log has failed? is there a status field or is there any search term?<BR /> also put your query in <CODE>101010</CODE> sample code .</P> Mon, 04 Feb 2019 11:43:09 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451821#M173195 mayurr98 2019-02-04T11:43:09Z https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451822#M173196 <P>Hello<BR /> "failed" is output into the log, normally "completed" without the status field..</P> <P>Normally I just extract 4 rows like this.<BR /> 2019-02-06 09:40:01&gt;open_logs: ORACLE_NAME : xxx<BR /> 2019-02-06 09:40:01&gt;open_logs: BKUPTYPE : ARCHIVE<BR /> 2019-02-06 09:40:19&gt;do_backup: Starting ARCHIVE database backup...<BR /> 2019-02-06 09:49:47&gt;do_backup: Database backup complete.<BR /> It does not have any status field.</P> <P>when failed, additionally something like below will be output into the log.<BR /> RMAN-03002: failure of recover command at 02/04/2019 23:07:19<BR /> ORA-19870: error while restoring backup piece /BACKUPS/xxx/budump/xxx_20190127_224906_1<BR /> ORA-19505: failed to identify file "/BACKUPS/xxx/budump/xxx_20190127_224906_1"<BR /> ORA-27037: unable to obtain file status<BR /> I need to make something like status field from the log above.</P> <P>Thanks.</P> Tue, 29 Sep 2020 23:05:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451822#M173196 shiranaka 2020-09-29T23:05:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451823#M173197 <P>Try this:</P> <P><CODE>eval status= if(match(_raw,"failed"), 1, 0)</CODE></P> Wed, 06 Feb 2019 04:33:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451823#M173197 chrisyounger 2019-02-06T04:33:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451824#M173198 <P>Hello<BR /> It's perfect for me and I could complete very useful dashboard for RMAN.<BR /> Thank you so much!</P> Thu, 07 Feb 2019 00:04:38 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451824#M173198 shiranaka 2019-02-07T00:04:38Z https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451825#M173199 <P>Hello<BR /> It's perfect for me and I could complete useful RMAN dashboard.<BR /> Thank you so much!</P> Thu, 07 Feb 2019 00:06:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-put-the-status-into-1-when-the-log-has-quot-failed/m-p/451825#M173199 shiranaka 2019-02-07T00:06:15Z