Archive
Highlighted

Please help in merge data

New Member

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " |search script =test1 OR
script =test2
| eval status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| eval JobName=case(script=="test1", "test1",
script=="test2", "test2",1=1, "unknown")
| eventstats min(time) as start, max(time) as end by pid , script
| search status="success" OR status="failed"
| table pid, script,JobName, status, start, end,duration
|convert mktime(start) as start mktime(end) as end
|eval duration=tostring((end-start),"duration") | eval start=strftime(start, "%Y/%m/%d %T.%3Q")
| eval end=strftime(end, "%Y/%m/%d %T.%3Q") | sort by start desc

script ended successfully
Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script started
2. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=calling wget without post parameter
3. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=wget command exit code: 0
4. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=data invoked
5. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=HTTP code from server:0
6. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Status will be updated in test.log
7. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=
8. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script exit normal

Script still running

  1. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=Script started
  2. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=calling wget without post parameter
  3. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=wget command exit code: 0

Here statusString is extract feild value as 'started'/'exit notmal' i want to output as

test1 success
test2 still running

Tags (1)
0 Karma
Highlighted

Re: Please help in merge data

SplunkTrust
SplunkTrust

Give this a try

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2 
| dedup script 
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed", 
1=1, "Still in progress") 
| table script Status| rename script as JobName

View solution in original post

0 Karma
Highlighted

Re: Please help in merge data

SplunkTrust
SplunkTrust

Explanation:

1) The dedup command, by default, will keep only the most recent record for each script. (Technically, it keeps the first record found, and they are retrieved with the most-recent first.) That's all you need for current status.
2) Your code has only two possible values for script, so there's no need for the case statement setting JobName.

So, somesoni2's code is the simplest that will get you the status of those two jobs.

If you wanted start time, end time, and so on, then more code (and actually a different method) would be needed.

Highlighted

Re: Please help in merge data

New Member

what do I need to do to get end time in the last event?

0 Karma