Getting Data In

Add data to Splunk from a form

timmalos
Communicator

Hi guys.
With bpdbjobs from Netbackup i got a list of all my netbackup jobs yhich are completed.
Some of then have a jobStatus > 1 means they are in error.
But sometimes, there are other jobs later who corrige the problem. In my list in splunk i want only see jobs in error which are not solved yet. Means there is no job with same caracteristic later having jobStatus=0. I do this with that search :

sourcetype="Netbackup" host=$host$  | fillnull 0 jobCopy| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  | search jobStatus>1

With that i can list errors still in error. But (I come to the point) sometimes the problem is solved by an operator and i want to delete the line from the list. I want to create a form where i put a jobId and this jobId should never appear in my list anymore. As i dont want to delete lines from indexes, i would add a line with same jobId but with more recent timestamp and jobStatus=0 (So that my search will not return it). Without write a file that Splunk index but directly by a form (Or other if you have an idea)
How can i do that?

Thx a lot for those who read this, sorry for my english and thx a lot for any help.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

View solution in original post

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

timmalos
Communicator

outputlookup 😮 Thx

0 Karma

timmalos
Communicator

Thats a good start thx ! How can i create the resolvedJobs.csv from a form? I mean i can do a search and pipe to an outputcsv but it will put the file in $SPLUNK_HOME/var/run/splunk i would this file to be in $MY_APP_DIR/lookups so that i can do the lookup function

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...