Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add data to Splunk from a form

timmalos
Communicator
‎07-17-2013 07:46 AM

Hi guys.
With bpdbjobs from Netbackup i got a list of all my netbackup jobs yhich are completed.
Some of then have a jobStatus > 1 means they are in error.
But sometimes, there are other jobs later who corrige the problem. In my list in splunk i want only see jobs in error which are not solved yet. Means there is no job with same caracteristic later having jobStatus=0. I do this with that search : 

sourcetype="Netbackup" host=$host$  | fillnull 0 jobCopy| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  | search jobStatus>1

With that i can list errors still in error. But (I come to the point) sometimes the problem is solved by an operator and i want to delete the line from the list. I want to create a form where i put a jobId and this jobId should never appear in my list anymore. As i dont want to delete lines from indexes, i would add a line with same jobId but with more recent timestamp and jobStatus=0 (So that my search will not return it). Without write a file that Splunk index but directly by a form (Or other if you have an idea)
How can i do that?

Thx a lot for those who read this, sorry for my english and thx a lot for any help.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-17-2013 02:30 PM

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-17-2013 02:30 PM

Create a list of the jobs that should not be shown in the report. Make it a CSV file, perhaps like this

resolvedJobs.csv

jobId,jobStatus,dateTimeResolved,currentState
12113,0,2013-07-13 14:25,resolved
17116,0,2013-07-14 11:33,resolved

etc. Load this into Splunk as a lookup table. (Lookup tutorial) When you create the lookup, set a default value of "unresolved". In the example below, I have called the lookup jobLookup. Now run this search:

sourcetype="Netbackup" host=$host$  
| fillnull 0 jobCopy
| dedup Client Policy Schedule Stream jobCopy sortby -_time|dedup jobId sortby -_time  
| search jobStatus>1
| lookup jobLookup jobId OUTPUT currentStatus
| where currentStatus = "unresolved"

There are lots of other interesting things that you can do with lookups. But this is one good application.

Reply
Solved! Jump to solution

timmalos
Communicator
‎07-18-2013 12:58 AM

outputlookup 😮 Thx

0 Karma
Reply
Solved! Jump to solution

timmalos
Communicator
‎07-18-2013 12:49 AM

Thats a good start thx ! How can i create the resolvedJobs.csv from a form? I mean i can do a search and pipe to an outputcsv but it will put the file in $SPLUNK_HOME/var/run/splunk i would this file to be in $MY_APP_DIR/lookups so that i can do the lookup function

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...