Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I Monitor Jobs only at a specific interval in Dashboard?

Ashwini008
Builder
‎03-02-2023 03:19 AM

Hi,

I need to monitor jobs only at specific interval .From Application server we are getting only Job Name And Date of Job generated into Splunk.

For example:

Job will only run between 9:30 PM -10:30  so Splunk will have data only after 9:30 PM so up to 9:30 PM dashboard will be showing as 'Job has not run' which is incorrect. I need to check only between 9:30 PM -10:30 PM and if there is no data in Index then show as "Job has not run"

Please suggest.

query:index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName DATE
| append
[| inputlookup job.csv
| search NOT
[ search index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName ]]
| fillnull value="N" DATE
| eval DATE=if(DATE="N","Job has not run", DATE)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 06:52 AM

You could force your search to only return results (if there are any) when it is between certain times

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 03:53 AM

Not sure what the question is here - your search seems to append all the jobs from the csv which don't have entries in the time period of the search (although it could be optimised slightly since you are doing some date manipulation and then dropping the date field, and also filling the null dates with "N" only to replace it with "Job has not run"

index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName DATE
| append
[| inputlookup job.csv
| search NOT
[ search index = test_job
sourcetype = test_job
| rex field=source ".*/(?<JobName>.*?)_.*\."
| table JobName 
| dedup JobName]]
| fillnull value="Job has not run" DATE

Is the issue that job.csv does not include the expected times which the jobs should have been run between?

Reply
Solved! Jump to solution

Ashwini008
Builder
‎03-02-2023 04:25 AM

@ITWhisperer I need to monitor Jobs only at specific interval in dashboard. From source i am extracting job name and Timestamp of file generated. This Job generates  anywhere between 9:30PM IST- 10:30PM IST . My below query is not checking for any time interval so before 9:30 PM also it is running the query and showing as "Job has not run". I need to check and run the query only after 9:30 PM and before that it should not run

 

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 04:35 AM

So if I understand correctly, the report / dashboard search can be executed at any time but you want it ignore the fact that some jobs haven't been run (yet) if the time the job is executed is not between 9:30 and 10:30?

If so, how does the search know which jobs should be run in which timeframes?

Reply
Solved! Jump to solution

Ashwini008
Builder
‎03-02-2023 06:39 AM

@ITWhisperer That's correct. That is the challenge i am facing on how to check only specific jobs at specific interval. Can we write a query to check the condition only between 9:30 PM to 10: 30 PM

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 06:52 AM

You could force your search to only return results (if there are any) when it is between certain times

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m")
Reply
Solved! Jump to solution

Ashwini008
Builder
‎03-02-2023 07:06 AM

@ITWhisperer Thank You how do i exclude weekends from the query?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 07:16 AM 
| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m") AND now()>relative_time(now(),"@w+1d") AND now()<relative_time(now(),"@w+6d")
Reply
Solved! Jump to solution

Ashwini008
Builder
‎03-02-2023 07:21 AM

@ITWhisperer I guess we can accept Answer only once per post! Anyway Thank You 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...