All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search through only failing logs - Jenkins

ddaly
Engager
‎09-28-2021 10:19 AM

I am trying to speed up a search on Splunk. The search looks through millions of logs for matches to around 100 event types (each event type has multiple strings to match) so it has ended up being very slow.

The original search I have is:

 

eventtype=fail_type* source="*console" host = $jenkins_server$  | timechart count by eventtype

 

Which plots a timechart of the different types of fails in the console logs of jenkins which is what I want.

I tried to speed up the job by getting it to only look through logs from failing jobs. I can get a table of failing console logs using the search below but if I try to use those console paths for a new search by adding "| search source=console_path" it doesn't work

 

event_tag="job_event" host = $jenkins_server$
| eval job_result=if(type="started", "INPROGRESS", job_result) `utc_to_local_time(job_started_at)`
| search (job_result=FAILURE OR job_result=UNSTABLE OR job_result=ABORTED)
| eval console_path= "*" + build_url + "console*"
| table console_path build_url job_result

 

Apricate any help or suggestions for other ways to speed up the search

Labels (3)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 01:58 PM

Setting aside possible accelerations (have you thought about it?), you end your search with a | table command which returns only given set of fields. You don't have source among them so searching by it won't produce any results.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...