Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

At least one log for two, distinct search conditions

techgeek_us
New Member
‎01-23-2019 04:26 PM

We have two jobs that run and produce a distinct log entry for each. I need to add a dashboard panel which monitors these jobs.

The success criteria is that at least one log exist for each job, so zero entries from one job and two from the other would not be a success, only >=1 for each. For this reason, I can't use an OR operator and include both conditions in the search. Oh, and the fields are not extracted.

How can I express this in a search and then in a dashboard panel which translates to something like "OK" or "2".

Thank you in advance for your time.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-24-2019 08:45 PM

@techgeek_us ,

Easiest method is to extract job name and find status.

"your search"
|rex field=_raw "Job (?<JOB>.+) completed"|stats dc(JOB) as c|eval status=if(c>1,"OK","NOK")

Test

|makeresults|eval raw="Job one completed,Job two completed"|makemv raw delim=","|mvexpand raw|eval _raw=raw 
|rex field=_raw "Job (?<JOB>.+) completed"|stats dc(JOB) as c|eval status=if(c>1,"OK","NOK")

Another method is searching directly in the event

"your search"
|eval j1=if( searchmatch("Job one completed"),1,0)|eval j2=if( searchmatch("Job two completed"),1,0)
|stats max(j1) as j1,max(j2) as j2|eval status=if(j1==1 AND j2==1,"OK","NOK")

Test

|makeresults|eval raw="Job one completed,Job two completed"|makemv raw delim=","|mvexpand raw|eval _raw=raw 
|eval j1=if( searchmatch("Job one completed"),1,0)|eval j2=if( searchmatch("Job two completed"),1,0)
|stats max(j1) as j1,max(j2) as j2|eval status=if(j1==1 AND j2==1,"OK","NOK")
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-24-2019 08:45 PM

@techgeek_us ,

Easiest method is to extract job name and find status.

"your search"
|rex field=_raw "Job (?<JOB>.+) completed"|stats dc(JOB) as c|eval status=if(c>1,"OK","NOK")

Test

|makeresults|eval raw="Job one completed,Job two completed"|makemv raw delim=","|mvexpand raw|eval _raw=raw 
|rex field=_raw "Job (?<JOB>.+) completed"|stats dc(JOB) as c|eval status=if(c>1,"OK","NOK")

Another method is searching directly in the event

"your search"
|eval j1=if( searchmatch("Job one completed"),1,0)|eval j2=if( searchmatch("Job two completed"),1,0)
|stats max(j1) as j1,max(j2) as j2|eval status=if(j1==1 AND j2==1,"OK","NOK")

Test

|makeresults|eval raw="Job one completed,Job two completed"|makemv raw delim=","|mvexpand raw|eval _raw=raw 
|eval j1=if( searchmatch("Job one completed"),1,0)|eval j2=if( searchmatch("Job two completed"),1,0)
|stats max(j1) as j1,max(j2) as j2|eval status=if(j1==1 AND j2==1,"OK","NOK")
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

techgeek_us
New Member
‎01-26-2019 08:24 AM

Thank you so very much. I tried your first solution and was able to customize it to my needs.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-23-2019 07:17 PM

@techgeek_us ,

How do you distinguish between two jobs, are the entries different? The easiest solution would be extracting the job name and count on it. Do you have some sample events for both jobs from where we can try extracting the information?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

techgeek_us
New Member
‎01-24-2019 09:57 AM

The log entries would look something like:

"Job one completed"
"Job two completed"

There could be none or multiple of each. What I need is to ensure that at least one occurs for each job and then represent that on a dashboard, ideally using one query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...