Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display a log based off of fields from multiple logs

Toshbar
Explorer
‎08-11-2017 01:19 PM

I'm not 100% sure how to title this question so please let me know if you have a suggestion on how to re-title it and i'll edit it.

I have tens of logs showing daily for each JOB
Here is an example of two logs for one of them:

 DATETIME:   2017-08-11 13:00:13.85 -0700   
 JOBNAME:    CIMR801D   
 MSGTXT:     CODE=ENDED - TIME=13.00.13 

 DATETIME:   2017-08-10 20:44:19.21 -0700   
 JOBNAME:    CIMR801D   
 MSGTXT:    CODE=JOB FAILED=S000 U1536 REASON=*

I only want to show jobs that have ended but haven't had any fails. So i'm trying to only show JOBNAMES that have a log containing the text ENDED TIME within the MSGTXT field but not FAILED within MSGTXT of another log within the same day.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2017 01:27 PM

Like this:

... | stats values(MSGTXT) AS MSGTXTs BY JOBNAME
| where match(MSGTXTs, "CODE=ENDED") AND NOT match(MSGTXTs, "CODE=JOB FAILED")

If you need to keep the raw events, then change stats to eventstats.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2017 01:27 PM

Assuming the JOBNAME and MSGTXT fields are already indexed, this query should get you started.

index=foo MSGTXT="*ENDED*" | table JOBNAME
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2017 01:27 PM

Like this:

... | stats values(MSGTXT) AS MSGTXTs BY JOBNAME
| where match(MSGTXTs, "CODE=ENDED") AND NOT match(MSGTXTs, "CODE=JOB FAILED")

If you need to keep the raw events, then change stats to eventstats.

Reply
Solved! Jump to solution

Toshbar
Explorer
‎08-11-2017 01:41 PM

This is perfect. I wasn't familiar with the match command and was trying to do an overly complicated join/append.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...