Getting Data In

Add data to Splunk from a form

timmalos
Communicator

Hi guys.
With bpdbjobs from Netbackup i got a list of all my netbackup jobs yhich are completed.
Some of then have a jobStatus > 1 means they are in error.
But sometimes, there are other jobs later who corrige the problem. In my list in splunk i want only see jobs in error which are not solved yet. Means there is no job with same caracteristic later having jobStatus=0. I do this with that search :

sourcetype="Netbackup" host=$host$  | fillnull 0 jobCopy| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  | search jobStatus>1

With that i can list errors still in error. But (I come to the point) sometimes the problem is solved by an operator and i want to delete the line from the list. I want to create a form where i put a jobId and this jobId should never appear in my list anymore. As i dont want to delete lines from indexes, i would add a line with same jobId but with more recent timestamp and jobStatus=0 (So that my search will not return it). Without write a file that Splunk index but directly by a form (Or other if you have an idea)
How can i do that?

Thx a lot for those who read this, sorry for my english and thx a lot for any help.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

View solution in original post

lguinn2
Legend

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

timmalos
Communicator

outputlookup 😮 Thx

0 Karma

timmalos
Communicator

Thats a good start thx ! How can i create the resolvedJobs.csv from a form? I mean i can do a search and pipe to an outputcsv but it will put the file in $SPLUNK_HOME/var/run/splunk i would this file to be in $MY_APP_DIR/lookups so that i can do the lookup function

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...