Getting Data In

Add data to Splunk from a form

timmalos
Communicator

Hi guys.
With bpdbjobs from Netbackup i got a list of all my netbackup jobs yhich are completed.
Some of then have a jobStatus > 1 means they are in error.
But sometimes, there are other jobs later who corrige the problem. In my list in splunk i want only see jobs in error which are not solved yet. Means there is no job with same caracteristic later having jobStatus=0. I do this with that search :

sourcetype="Netbackup" host=$host$  | fillnull 0 jobCopy| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  | search jobStatus>1

With that i can list errors still in error. But (I come to the point) sometimes the problem is solved by an operator and i want to delete the line from the list. I want to create a form where i put a jobId and this jobId should never appear in my list anymore. As i dont want to delete lines from indexes, i would add a line with same jobId but with more recent timestamp and jobStatus=0 (So that my search will not return it). Without write a file that Splunk index but directly by a form (Or other if you have an idea)
How can i do that?

Thx a lot for those who read this, sorry for my english and thx a lot for any help.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

View solution in original post

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

timmalos
Communicator

outputlookup 😮 Thx

0 Karma

timmalos
Communicator

Thats a good start thx ! How can i create the resolvedJobs.csv from a form? I mean i can do a search and pipe to an outputcsv but it will put the file in $SPLUNK_HOME/var/run/splunk i would this file to be in $MY_APP_DIR/lookups so that i can do the lookup function

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...