Building for the Splunk Platform

Search that shows which extract ran successfully or failed

shakeel253
Explorer

We have integrated Tableau with Splunk, I am setting up a Splunk dashboard which will give any user information on the dashboard of which extract ran successfully/Failed during the pass 24 hours. I need a Splunk Query which can give me that information.

0 Karma

shakeel253
Explorer

We use Tableau and there are some jobs (extracts) that run over night. some of the jobs are success and some fail. Tableau dashboard gives us this number, I wanted a splunk query that gives me total number of jobs that ran successfully/failed

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@shakeeI253 - You need to be MUCH more specific. An "extract" can be anything from a mainframe COBOL/MVS job to an Oracle procedure to a splunk search to god knows what.

Are you talking about Tableau extract refresh schedules? If so, are the extract schedules run and managed on Tableau Online (from cloud sources), or using Tableau Bridge (from on premises sources)? IF on premises, are they coming via the SDK from Unix, Windows, Mac?

Splunk can report on any event that it has received and ingested... but you have to find the events. What I would suggest is to figure out an exact time that one certain extract ran and completed, and then search splunk to see if the data about the search was loaded.

Start with something like this...

index=* 
earliest=2m before the extract started 
latest=5m after the extract finished 

First check the list of indexes you got data back from. In my shop, Tableau would have its own index, so would Informatica, and any similar products. If you find the index, you are golden. If not, then there is more hunting to do.

Second, if there is no index that looks promising, add "tableau" to the search and see if you get a useful subset of data. If not, then there is more hunting to do.

Poke around in the data. Kill any indexes that you know will not get tableau events. In mixed indexes, kill all the most common types of events, a few types at a time, to see what is left.

If nothing promising emerges, then find out the name of the host that your target extract runs on, widen your search time slightly, and add the host to the search

index=* 
earliest=5m before the extract started 
latest=15m after the extract finished 
("your hostname" OR "1.1.1.1<-yourhost'sIP")

Once you find the events, then we can help you turn the raw events into a decent report.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your question is vague enough that you will probably get very little useful information back.

When you say, "which extract ran successfully", what precisely do you mean? Do you have a list of the extracts that you want to report on? Are the extracts saved searches on splunk, or are they written in some other language and implemented somewhere else?

It si possible to get information on which schedule searches have run and/or failed, if that is what you are after. On the other hand, if you are looking for which external processes have completed and sent information TO splunk, then primarily what splunk would be able to provide is analysis of whatever actually DID make it in.

0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...