https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/577841#M201362 <P>You could try something like this (the part before the blank lines just sets up some dummy data):</P><LI-CODE lang="markup">| makeresults | eval _raw="AIRFLOW_CTX_DAG_OWNER=Prathibha AIRFLOW_CTX_DAG_ID=M_OPI_NPPV_NPPES AIRFLOW_CTX_TASK_ID=NPPES_INSERT AIRFLOW_CTX_EXECUTION_DATE=2021-12-08T18:57:24.419709+00:00 AIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-08T18:57:24.419709+00:00 [2021-12-08 19:12:59,923] {{cursor.py:696}} INFO - query: [INSERT OVERWRITE INTO IDRC_OPI_DEV.CMS_BDM_OPI_NPPES_DEV.OH_IN_PRVDR_NPPES SELEC...] [2021-12-08 19:13:13,514] {{cursor.py:720}} INFO - query execution done [2021-12-08 19:13:13,570] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,570] {{snowflake.py:277}} INFO - Rows affected: 1 [2021-12-08 19:13:13,592] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,592] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12da-0000-0024028474a6 [2021-12-08 19:13:13,612] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,612] {{snowflake.py:277}} INFO - Rows affected: 7019070 [2021-12-08 19:13:13,632] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,632] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12ce-0000-002402848486 [2021-12-08 19:13:13,811] {{taskinstance.py:1192}} INFO - Marking task as SUCCESS. dag_id=M_OPI_NPPV_NPPES, task_id=NPPES_INSERT, execution_date=20211208T185724, start_date=20211208T191256, end_date=20211208T191313 [2021-12-08 19:13:13,868] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,867] {{local_task_job.py:146}} INFO - Task exited with return code" | multikv noheader=t | fields _raw | transaction endswith="AIRFLOW_CTX_DAG_OWNER" keepevicted=t keeporphans=t mvraw=t | fields _raw | fields - _time | rex "AIRFLOW_CTX_DAG_ID=(?&lt;dag_id&gt;.*)" | rex "AIRFLOW_CTX_TASK_ID=(?&lt;task_id&gt;.*)" | rex max_match=0 "Rows affected: (?&lt;rows&gt;.*)" | rex "Marking task as (?&lt;status&gt;[^\.]+)" | table dag_id task_id status rows</LI-CODE> Thu, 09 Dec 2021 04:54:13 GMT ITWhisperer 2021-12-09T04:54:13Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/577837#M201359 <P>Team,</P><P>I'm newbie in writing Splunk queries. Could you please provide me guidance how to design a SPL for below use case.</P><P>Here are sample logs:</P><P>AIRFLOW_CTX_DAG_OWNER=Prathibha<BR />AIRFLOW_CTX_DAG_ID=<STRONG>M_OPI_NPPV_NPPES</STRONG><BR />AIRFLOW_CTX_TASK_ID=<STRONG>NPPES_INSERT</STRONG><BR />AIRFLOW_CTX_EXECUTION_DATE=2021-12-08T18:57:24.419709+00:00<BR />AIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-08T18:57:24.419709+00:00</P><P>[2021-12-08 19:12:59,923] {{cursor.py:696}} INFO - query: [INSERT OVERWRITE INTO IDRC_OPI_DEV.CMS_BDM_OPI_NPPES_DEV.OH_IN_PRVDR_NPPES SELEC...]<BR />[2021-12-08 19:13:13,514] {{cursor.py:720}} INFO - query execution done<BR />[2021-12-08 19:13:13,570] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,570] {{snowflake.py:277}} INFO - <STRONG>Rows affected: 1</STRONG><BR />[2021-12-08 19:13:13,592] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,592] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12da-0000-0024028474a6<BR />[2021-12-08 19:13:13,612] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,612] {{snowflake.py:277}} INFO - <STRONG>Rows affected: 7019070</STRONG><BR />[2021-12-08 19:13:13,632] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,632] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12ce-0000-002402848486<BR />[2021-12-08 19:13:13,811] {{taskinstance.py:1192}} INFO - Marking task as SUCCESS. dag_id=M_OPI_NPPV_NPPES, task_id=NPPES_INSERT, execution_date=20211208T185724, start_date=20211208T191256, end_date=20211208T191313<BR />[2021-12-08 19:13:13,868] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,867] {{local_task_job.py:146}} INFO - Task exited with return code</P><P><STRONG>Expected output in tabular form:</STRONG></P><P><STRONG>DAG_ID&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TASK_ID&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;STATUS&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ROWS_EFFECTED</STRONG><BR />M_OPI_NPPV_NPPES&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;NPPES_INSERT&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;SUCCESS&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1,7019070</P><P>Thanks,</P><P>Sumit</P> Thu, 09 Dec 2021 02:19:23 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/577837#M201359 kapoorsumit2020 2021-12-09T02:19:23Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/577841#M201362 <P>You could try something like this (the part before the blank lines just sets up some dummy data):</P><LI-CODE lang="markup">| makeresults | eval _raw="AIRFLOW_CTX_DAG_OWNER=Prathibha AIRFLOW_CTX_DAG_ID=M_OPI_NPPV_NPPES AIRFLOW_CTX_TASK_ID=NPPES_INSERT AIRFLOW_CTX_EXECUTION_DATE=2021-12-08T18:57:24.419709+00:00 AIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-08T18:57:24.419709+00:00 [2021-12-08 19:12:59,923] {{cursor.py:696}} INFO - query: [INSERT OVERWRITE INTO IDRC_OPI_DEV.CMS_BDM_OPI_NPPES_DEV.OH_IN_PRVDR_NPPES SELEC...] [2021-12-08 19:13:13,514] {{cursor.py:720}} INFO - query execution done [2021-12-08 19:13:13,570] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,570] {{snowflake.py:277}} INFO - Rows affected: 1 [2021-12-08 19:13:13,592] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,592] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12da-0000-0024028474a6 [2021-12-08 19:13:13,612] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,612] {{snowflake.py:277}} INFO - Rows affected: 7019070 [2021-12-08 19:13:13,632] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,632] {{snowflake.py:278}} INFO - Snowflake query id: 01a0d120-0000-12ce-0000-002402848486 [2021-12-08 19:13:13,811] {{taskinstance.py:1192}} INFO - Marking task as SUCCESS. dag_id=M_OPI_NPPV_NPPES, task_id=NPPES_INSERT, execution_date=20211208T185724, start_date=20211208T191256, end_date=20211208T191313 [2021-12-08 19:13:13,868] {{logging_mixin.py:104}} INFO - [2021-12-08 19:13:13,867] {{local_task_job.py:146}} INFO - Task exited with return code" | multikv noheader=t | fields _raw | transaction endswith="AIRFLOW_CTX_DAG_OWNER" keepevicted=t keeporphans=t mvraw=t | fields _raw | fields - _time | rex "AIRFLOW_CTX_DAG_ID=(?&lt;dag_id&gt;.*)" | rex "AIRFLOW_CTX_TASK_ID=(?&lt;task_id&gt;.*)" | rex max_match=0 "Rows affected: (?&lt;rows&gt;.*)" | rex "Marking task as (?&lt;status&gt;[^\.]+)" | table dag_id task_id status rows</LI-CODE> Thu, 09 Dec 2021 04:54:13 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/577841#M201362 ITWhisperer 2021-12-09T04:54:13Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578088#M201474 <P class="lia-indent-padding-left-30px">Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;. your SPL is working as expected when I feed real data.</P><P class="lia-indent-padding-left-30px">I need to add two more columns in table : dag_run_date, dag_run_time, the values of those two column needs to be extracted from this statement but unable to form corresponding rex command . Can you help me on that?</P><PRE>AIRFLOW_CTX_EXECUTION_DATE=2021-12-08T18:57:24.419709+00:00</PRE><P>&nbsp;</P> Fri, 10 Dec 2021 22:20:05 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578088#M201474 kapoorsumit2020 2021-12-10T22:20:05Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578091#M201475 <LI-CODE lang="markup">| rex "AIRFLOW_CTX_EXECUTION_DATE=(?&lt;dag_run_date&gt;\d{4}\-\d{2}\-\d{2})T(?&lt;dag_run_time&gt;\d{2}:\d{2}:\d{2}\.\d{6})"</LI-CODE> Fri, 10 Dec 2021 23:33:50 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578091#M201475 ITWhisperer 2021-12-10T23:33:50Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578254#M201516 <P>Thanks again&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>I'm&nbsp; seeing an issue during additional testing. Can you please review and let me know what wrong am I doing in SPL#2.</P><P><STRONG>SPL#1 : </STRONG>This lists dags, tasks_id, status (SUCCESS/FAILED), Rows_Affected, Task_Start_Date, Task_End_Date correctly:</P><P>index=cloud sourcetype=lambda:Airflow2Splunk "\"logGroup\"" "\"airflow-OnePIAirflowEnvironment-DEV-Task\""<BR />| transaction startswith="\\nAIRFLOW_CTX_DAG_OWNER" endswith="Marking task as"<BR />| rex field=_raw "AIRFLOW_CTX_DAG_OWNER"=(?&lt;dag_owner&gt;\w+)<BR />| rex field=_raw "AIRFLOW_CTX_DAG_ID=(?&lt;dag_id&gt;\w+)"<BR />| rex field=_raw "AIRFLOW_CTX_TASK_ID=(?&lt;task_id&gt;\w+)"<BR />| rex field=_raw max_match=0 "Rows affected: (?&lt;rows_affected&gt;\d+)"<BR />| eval rows_affected=mvjoin(rows_affected, ",")<BR />| rex field=_raw "Marking task as (?&lt;status&gt;[^\.]+)"<BR />| rex field=_raw "start_date=(?&lt;task_start_date&gt;\d{8}T\d{6})"<BR />| rex field=_raw "end_date=(?&lt;task_end_date&gt;\d{8}T\d{6})"<BR />| eval new_start_task_date=strptime(task_start_date,"%Y%m%dT%H%M%S") | eval start_task_date=strftime(new_start_task_date,"%Y-%m-%d %H:%M:%S")<BR />| eval new_end_task_date=strptime(task_end_date,"%Y%m%dT%H%M%S") | eval end_task_date=strftime(new_end_task_date,"%Y-%m-%d %H:%M:%S")<BR />| table dag_owner dag_id task_id status rows_affected start_task_date end_task_date</P><P><STRONG>SPL#2</STRONG></P><P>This should list dags, tasks_id, status (FAILED), Rows_Affected, Task_Start_Date, Task_End_Date correctly:</P><P>But this SPL is not working as expected. I can some tasks whose status is SUCCESS also in the list.&nbsp;</P><P>index=cloud sourcetype=lambda:Airflow2Splunk "\"logGroup\"" "\"airflow-OnePIAirflowEnvironment-DEV-Task\""<BR />| transaction startswith="\\nAIRFLOW_CTX_DAG_OWNER" endswith="Marking task as FAILED"<BR />| rex field=_raw "AIRFLOW_CTX_DAG_OWNER"=(?&lt;dag_owner&gt;\w+)<BR />| rex field=_raw "AIRFLOW_CTX_DAG_ID=(?&lt;dag_id&gt;\w+)"<BR />| rex field=_raw "AIRFLOW_CTX_TASK_ID=(?&lt;task_id&gt;\w+)"<BR />| rex field=_raw max_match=0 "Rows affected: (?&lt;rows_affected&gt;\d+)"<BR />| eval rows_affected=mvjoin(rows_affected, ",")<BR />| rex field=_raw "Marking task as (?&lt;status&gt;[^\.]+)"<BR />| rex field=_raw "start_date=(?&lt;task_start_date&gt;\d{8}T\d{6})"<BR />| rex field=_raw "end_date=(?&lt;task_end_date&gt;\d{8}T\d{6})"<BR />| eval new_start_task_date=strptime(task_start_date,"%Y%m%dT%H%M%S") | eval start_task_date=strftime(new_start_task_date,"%Y-%m-%d %H:%M:%S")<BR />| eval new_end_task_date=strptime(task_end_date,"%Y%m%dT%H%M%S") | eval end_task_date=strftime(new_end_task_date,"%Y-%m-%d %H:%M:%S")<BR />| table dag_owner dag_id task_id status rows_affected start_task_date end_task_date</P> Mon, 13 Dec 2021 22:40:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578254#M201516 kapoorsumit2020 2021-12-13T22:40:26Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578257#M201517 <P>Do you need the \\n before&nbsp;<SPAN>AIRFLOW_CTX_DAG_OWNER?</SPAN></P> Mon, 13 Dec 2021 23:26:36 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578257#M201517 ITWhisperer 2021-12-13T23:26:36Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578267#M201519 <P>When I run following SPL without \n&nbsp;it doesn't yield any result.&nbsp;</P><P>| transaction startswith="AIRFLOW_CTX_DAG_OWNER" endswith="Marking task as FAILED"........</P><P>However :</P><P>| transaction startswith="\\nAIRFLOW_CTX_DAG_OWNER" endswith="Marking task as FAILED"........</P><P>or</P><P>| transaction startswith="\nAIRFLOW_CTX_DAG_OWNER" endswith="Marking task as FAILED"........</P><P>both yields same results.</P><P>'\n' is added in Splunk airflow logs (in JSON) when the airflow logs are being pushed to Splunk. That's why I added \\n before&nbsp;AIRFLOW_CTX_DAG_OWNER :&nbsp;&nbsp;</P><P><STRONG>Airflow logs:</STRONG></P><P>[2021-12-13 20:20:13,145] {{logging_mixin.py:104}} INFO - Running &lt;TaskInstance: any_bash_command_dag.bash_command 2021-12-13T20:20:10.033766+00:00 [running]&gt; on host ip-10-223-50-200.ec2.internal<BR />[2021-12-13 20:20:13,567] {{taskinstance.py:1283}} INFO - Exporting the following env vars:<BR /><STRONG>AIRFLOW_CTX_DAG_OWNER</STRONG>=airflow<BR />AIRFLOW_CTX_DAG_ID=any_bash_command_dag<BR />AIRFLOW_CTX_TASK_ID=bash_command<BR />AIRFLOW_CTX_EXECUTION_DATE=2021-12-13T20:20:10.033766+00:00<BR />AIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-13T20:20:10.033766+00:00</P><P><STRONG>Airflow logs in Splunk:</STRONG></P><P>2021-12-13T20:18:02.837Z 2b98fffe-7c1b-4dff-aedf-101c04bcd17d INFO Decoded payload: {<BR />"messageType": "DATA_MESSAGE",<BR />"owner": "765460745490",<BR />"logGroup": "airflow-OnePIAirflowEnvironment-DEV-Task",<BR />"logStream": "any_bash_command_dag/bash_command/2021-12-13T20_18_00.187744+00_00/1.log",<BR />"subscriptionFilters": [<BR />"airflow_2_splunk_task"<BR />],<BR />"logEvents": [<BR />{<BR />"id": "36560436722252801980494271713377497999438999533834272768",<BR />"timestamp": 1639426682686,<BR />"message": "[2021-12-13 20:18:02,686] {{taskinstance.py:1283}} INFO - Exporting the following env vars:<STRONG>\nAIRFLOW_CTX_DAG_OWNER</STRONG>=airflow\nAIRFLOW_CTX_DAG_ID=any_bash_command_dag\nAIRFLOW_CTX_TASK_ID=bash_command\nAIRFLOW_CTX_EXECUTION_DATE=2021-12-13T20:18:00.187744+00:00\nAIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-13T20:18:00.187744+00:00"<BR />}<BR />]<BR />}</P> Tue, 14 Dec 2021 00:49:12 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578267#M201519 kapoorsumit2020 2021-12-14T00:49:12Z https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578270#M201520 <P><STRONG>AIRFLOW_CTX_DAG_OWNER is printed like this in splunk logs:</STRONG></P><P>2021-12-13T20:18:02.837Z 2b98fffe-7c1b-4dff-aedf-101c04bcd17d INFO Decoded payload: {<BR />"messageType": "DATA_MESSAGE",<BR />"owner": "765460745490",<BR />"logGroup": "airflow-OnePIAirflowEnvironment-DEV-Task",<BR />"logStream": "any_bash_command_dag/bash_command/2021-12-13T20_18_00.187744+00_00/1.log",<BR />"subscriptionFilters": [<BR />"airflow_2_splunk_task"<BR />],<BR />"logEvents": [<BR />{<BR />"id": "36560436722252801980494271713377497999438999533834272768",<BR />"timestamp": 1639426682686,<BR />"message": "[2021-12-13 20:18:02,686] {{taskinstance.py:1283}} INFO - Exporting the following env vars:<STRONG>\nAIRFLOW_CTX_DAG_OWNER</STRONG>=airflow\nAIRFLOW_CTX_DAG_ID=any_bash_command_dag\nAIRFLOW_CTX_TASK_ID=bash_command\nAIRFLOW_CTX_EXECUTION_DATE=2021-12-13T20:18:00.187744+00:00\nAIRFLOW_CTX_DAG_RUN_ID=manual__2021-12-13T20:18:00.187744+00:00"<BR />}<BR />]<BR />}</P><P>The SPL without \n doesn't yield any result.</P><P>index=cloud sourcetype=lambda:Airflow2Splunk "\"logGroup\"" "\"airflow-OnePIAirflowEnvironment-DEV-Task\""<BR />| transaction startswith="<STRONG>AIRFLOW_CTX_DAG_OWNER</STRONG>" endswith="Marking task as FAILED".</P><P>....</P><P>....</P><P>....</P> Tue, 14 Dec 2021 01:34:43 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-in-formulate-query-for-our-use-case/m-p/578270#M201520 kapoorsumit2020 2021-12-14T01:34:43Z