Hi All,
We are running four jobs it will runs individual.i have to consolidate all four keyword and make it as success otherwise as failure .Can anyone help on creating alert.
Example:
A completed
B Completed
C completed
D Completed
Hi @karthi2809 ,
Splunk search isn't case sensitive, so if the four keywords are different only for case you can use only one word.
If "completed" is in a field, you can run something like this:
index=your_index
| eval status=if(field="completed","success","failure")
If "completed" isn't in a field, you can run something like this:
index=your_index
| eval status=if(searchmatch("completed"),"success","failure")
Then you can add a condition.
If instead you want to find when there isn't the word "completed in your logs, it's easier:
index=your_index NOT "completed"
Ciao.
Giuseppe
Hi @karthi2809 ,
Splunk search isn't case sensitive, so if the four keywords are different only for case you can use only one word.
If "completed" is in a field, you can run something like this:
index=your_index
| eval status=if(field="completed","success","failure")
If "completed" isn't in a field, you can run something like this:
index=your_index
| eval status=if(searchmatch("completed"),"success","failure")
Then you can add a condition.
If instead you want to find when there isn't the word "completed in your logs, it's easier:
index=your_index NOT "completed"
Ciao.
Giuseppe
Thank you works good
I need some other query
I had four different keyword( job Success msg ) and need to display job name and status.
index=* cf_app_name="s*" OR cf_app_name=nd* ("All feed is completed" OR "XXX Success: XXX" OR "YYY Success: YYY" OR "Finished handshake success" )
| eval searchString = case(like(_raw, "%All feed is completed%"), "First Job", like(_raw, "%XXX Success: XXX%"), "Second Job", like(_raw, "%YYY Success: YYY%"), "third job",like(_raw, "%Finished handshake success%"), "Fourth job", 1==1, "Incorrect searchString match, please refactor")
| stats count by searchString _time
Actual result:
First job 5
second Job 7
Excpected output:
first job Success
Second job Success
Third job Success