Getting Data In

Add data to Splunk from a form

timmalos
Communicator

Hi guys.
With bpdbjobs from Netbackup i got a list of all my netbackup jobs yhich are completed.
Some of then have a jobStatus > 1 means they are in error.
But sometimes, there are other jobs later who corrige the problem. In my list in splunk i want only see jobs in error which are not solved yet. Means there is no job with same caracteristic later having jobStatus=0. I do this with that search :

sourcetype="Netbackup" host=$host$  | fillnull 0 jobCopy| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  | search jobStatus>1

With that i can list errors still in error. But (I come to the point) sometimes the problem is solved by an operator and i want to delete the line from the list. I want to create a form where i put a jobId and this jobId should never appear in my list anymore. As i dont want to delete lines from indexes, i would add a line with same jobId but with more recent timestamp and jobStatus=0 (So that my search will not return it). Without write a file that Splunk index but directly by a form (Or other if you have an idea)
How can i do that?

Thx a lot for those who read this, sorry for my english and thx a lot for any help.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

View solution in original post

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

timmalos
Communicator

outputlookup 😮 Thx

0 Karma

timmalos
Communicator

Thats a good start thx ! How can i create the resolvedJobs.csv from a form? I mean i can do a search and pipe to an outputcsv but it will put the file in $SPLUNK_HOME/var/run/splunk i would this file to be in $MY_APP_DIR/lookups so that i can do the lookup function

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...