- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Grouping multiple keyword and value in to one as s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We are running four jobs it will runs individual.i have to consolidate all four keyword and make it as success otherwise as failure .Can anyone help on creating alert.
Example:
A completed
B Completed
C completed
D Completed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @karthi2809 ,
Splunk search isn't case sensitive, so if the four keywords are different only for case you can use only one word.
If "completed" is in a field, you can run something like this:
index=your_index
| eval status=if(field="completed","success","failure")If "completed" isn't in a field, you can run something like this:
index=your_index
| eval status=if(searchmatch("completed"),"success","failure")Then you can add a condition.
If instead you want to find when there isn't the word "completed in your logs, it's easier:
index=your_index NOT "completed"Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @karthi2809 ,
Splunk search isn't case sensitive, so if the four keywords are different only for case you can use only one word.
If "completed" is in a field, you can run something like this:
index=your_index
| eval status=if(field="completed","success","failure")If "completed" isn't in a field, you can run something like this:
index=your_index
| eval status=if(searchmatch("completed"),"success","failure")Then you can add a condition.
If instead you want to find when there isn't the word "completed in your logs, it's easier:
index=your_index NOT "completed"Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you works good
I need some other query
I had four different keyword( job Success msg ) and need to display job name and status.
index=* cf_app_name="s*" OR cf_app_name=nd* ("All feed is completed" OR "XXX Success: XXX" OR "YYY Success: YYY" OR "Finished handshake success" )
| eval searchString = case(like(_raw, "%All feed is completed%"), "First Job", like(_raw, "%XXX Success: XXX%"), "Second Job", like(_raw, "%YYY Success: YYY%"), "third job",like(_raw, "%Finished handshake success%"), "Fourth job", 1==1, "Incorrect searchString match, please refactor")
| stats count by searchString _time
Actual result:
First job 5
second Job 7
Excpected output:
first job Success
Second job Success
Third job Success
There's No Place Like Chrome and the Splunk Platform
The Great Resilience Quest: 5th Leaderboard Update
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
