Splunk Dev

Please help in merge data

sunitakesam
New Member

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " |search script =test1 OR
script =test2
| eval status=case( statusString=="exit", "success", statusString=="terminated", "failed",
1=1, "Still in progress")
| eval JobName=case(script=="test1", "test1",
script=="test2", "test2",1=1, "unknown")
| eventstats min(_time) as start, max(_time) as end by pid , script
| search status="success" OR status="failed"
| table pid, script,JobName, status, start, end,duration
|convert mktime(start) as start mktime(end) as end
|eval duration=tostring((end-start),"duration") | eval start=strftime(start, "%Y/%m/%d %T.%3Q")
| eval end=strftime(end, "%Y/%m/%d %T.%3Q") | sort by start desc

script ended successfully
Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script started
2. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=calling wget without post parameter
3. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=wget command exit code: 0
4. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=data invoked
5. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=HTTP code from server:0
6. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Status will be updated in test.log
7. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=
8. Date = 02/10/17 14:15:00,script = test1, id = 29251, log=Script exit normal

Script still running

  1. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=Script started
  2. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=calling wget without post parameter
  3. Date = 02/10/17 14:15:00,script = test2, id = 29251, log=wget command exit code: 0

Here statusString is extract feild value as 'started'/'exit notmal' i want to output as

test1 success
test2 still running

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2 
| dedup script 
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed", 
1=1, "Still in progress") 
| table script Status| rename script as JobName

View solution in original post

0 Karma

sunitakesam
New Member

what do I need to do to get end time in the last event?

0 Karma

somesoni2
Revered Legend

Give this a try

pid script host=dc1 "log= SUCCESS" OR "log= FAILURE" OR "log=Script " script =test1 OR
script =test2 
| dedup script 
| eval Status=case( statusString=="exit", "success", statusString=="terminated", "failed", 
1=1, "Still in progress") 
| table script Status| rename script as JobName
0 Karma

DalJeanis
Legend

Explanation:

1) The dedup command, by default, will keep only the most recent record for each script. (Technically, it keeps the first record found, and they are retrieved with the most-recent first.) That's all you need for current status.
2) Your code has only two possible values for script, so there's no need for the case statement setting JobName.

So, somesoni2's code is the simplest that will get you the status of those two jobs.

If you wanted start time, end time, and so on, then more code (and actually a different method) would be needed.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...