Getting Data In

How to display a log based off of fields from multiple logs

Toshbar
Explorer

I'm not 100% sure how to title this question so please let me know if you have a suggestion on how to re-title it and i'll edit it.

I have tens of logs showing daily for each JOB
Here is an example of two logs for one of them:

 DATETIME:   2017-08-11 13:00:13.85 -0700   
 JOBNAME:    CIMR801D   
 MSGTXT:     CODE=ENDED - TIME=13.00.13 

 DATETIME:   2017-08-10 20:44:19.21 -0700   
 JOBNAME:    CIMR801D   
 MSGTXT:    CODE=JOB FAILED=S000 U1536 REASON=*

I only want to show jobs that have ended but haven't had any fails. So i'm trying to only show JOBNAMES that have a log containing the text ENDED TIME within the MSGTXT field but not FAILED within MSGTXT of another log within the same day.

Any ideas?

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | stats values(MSGTXT) AS MSGTXTs BY JOBNAME
| where match(MSGTXTs, "CODE=ENDED") AND NOT match(MSGTXTs, "CODE=JOB FAILED")

If you need to keep the raw events, then change stats to eventstats.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Assuming the JOBNAME and MSGTXT fields are already indexed, this query should get you started.

index=foo MSGTXT="*ENDED*" | table JOBNAME
---
If this reply helps you, Karma would be appreciated.

woodcock
Esteemed Legend

Like this:

... | stats values(MSGTXT) AS MSGTXTs BY JOBNAME
| where match(MSGTXTs, "CODE=ENDED") AND NOT match(MSGTXTs, "CODE=JOB FAILED")

If you need to keep the raw events, then change stats to eventstats.

Toshbar
Explorer

This is perfect. I wasn't familiar with the match command and was trying to do an overly complicated join/append.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...