Reporting

How to generate a daily report that shows the number of backups kicked off for each user and how many were successful and unsuccessful in a table format?

drbruhn
New Member

I'm a total Splunk query noob here, so pardon the basic nature of my question. We have our backup logs forwarded to Splunk in the following format:

[Thu May  10 12:00:00 EDT 2018] user=johndoe computername=computer101 comment="Backup completed (un)successfully"

We'd like to generate a daily report that tells us how many backups have kicked off for each user, how many were successful, and how many were unsuccessful in a table format.

How might I go about that?

Thanks in advance!

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search e.g. index=foo sourcetype=bar to select backup logs
| stats count by user comment
| eval comment=if(match(comment,"unsuccessfully"),"Unsuccessful","Successful")
| chart sum(count) over user by comment
| eval Total_Backups=Unsuccessful + Successful
| table user Total_Backups Successful Unsuccessful

View solution in original post

0 Karma

somesoni2
Revered Legend

Give this a try

your base search e.g. index=foo sourcetype=bar to select backup logs
| stats count by user comment
| eval comment=if(match(comment,"unsuccessfully"),"Unsuccessful","Successful")
| chart sum(count) over user by comment
| eval Total_Backups=Unsuccessful + Successful
| table user Total_Backups Successful Unsuccessful
0 Karma

drbruhn
New Member

This one is REALLY close. For some reason, if all backups are successful, I don't see a total. I only get a total if there are unsuccessful backups.

0 Karma

somesoni2
Revered Legend

Well, try this version (this will cover if all backups failed OR passed)

your base search e.g. index=foo sourcetype=bar to select backup logs
 | stats count by user comment
 | eval comment=if(match(comment,"unsuccessfully"),"Unsuccessful","Successful")
 | chart sum(count) over user by comment | fillnull value=0
 | eval Total_Backups=Unsuccessful + Successful
 | table user Total_Backups Successful Unsuccessful
0 Karma

drbruhn
New Member

Perfection! Thanks!

0 Karma

davey1985
Explorer
rex = "\[(?<date>[A-z]{3}\s[A-z]{3}\s+\d+)\s\d+:\d+:\d+\d.*user=(?<username>[A-z.0-9-]*)\s+computername=(?<computername>[A-z.0-9-]*)\scomment=\"(?<comment>.*)\""
| stats count(comment) by comment

Thats how many successfull vs unsuccessfull

| stats count(username) by computername,comment

Thats each job kicked off by a user per computer and if it was successful or not

0 Karma

drbruhn
New Member

That's really close to what I'm looking for. I apologize for not specifying this beforehand, but what I'd like is to see the following:

Username | Successful Backups | Unsuccessful Backups | Total
jdoe | 3 | 1 | 4
asmith | 5 | 0 | 5

Make sense?

0 Karma

jodyfsu
Path Finder

Hello drbruhn, something like this should work:

user="*" computername="*" comment="Backup*"
stats count(comment) by comment, user
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...