Splunk Enterprise

How can I Monitor Jobs only at a specific interval in Dashboard?

Ashwini008
Builder

Hi,

I need to monitor jobs only at specific interval .From Application server we are getting only Job Name And Date of Job generated into Splunk.

For example:

Job will only run between 9:30 PM -10:30  so Splunk will have data only after 9:30 PM so up to 9:30 PM dashboard will be showing as 'Job has not run' which is incorrect. I need to check only between 9:30 PM -10:30 PM and if there is no data in Index then show as "Job has not run"

Please suggest.

query:index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName DATE
| append
[| inputlookup job.csv
| search NOT
[ search index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName ]]
| fillnull value="N" DATE
| eval DATE=if(DATE="N","Job has not run", DATE)

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You could force your search to only return results (if there are any) when it is between certain times

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m")

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Not sure what the question is here - your search seems to append all the jobs from the csv which don't have entries in the time period of the search (although it could be optimised slightly since you are doing some date manipulation and then dropping the date field, and also filling the null dates with "N" only to replace it with "Job has not run"

index = test_job
sourcetype = test_job
| rex field=source ".*/(?<name>.*?)_(?<date>.*)\."
| eval DATE=strftime(strptime(date,"%m%d%Y_%I.%M.%S.%p"),"%m-%d-%Y %I:%M:%S %p")
| rename name as JobName
| table JobName DATE
| append
[| inputlookup job.csv
| search NOT
[ search index = test_job
sourcetype = test_job
| rex field=source ".*/(?<JobName>.*?)_.*\."
| table JobName 
| dedup JobName]]
| fillnull value="Job has not run" DATE

Is the issue that job.csv does not include the expected times which the jobs should have been run between?

Ashwini008
Builder

@ITWhisperer I need to monitor Jobs only at specific interval in dashboard. From source i am extracting job name and Timestamp of file generated. This Job generates  anywhere between 9:30PM IST- 10:30PM IST . My below query is not checking for any time interval so before 9:30 PM also it is running the query and showing as "Job has not run". I need to check and run the query only after 9:30 PM and before that it should not run

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So if I understand correctly, the report / dashboard search can be executed at any time but you want it ignore the fact that some jobs haven't been run (yet) if the time the job is executed is not between 9:30 and 10:30?

If so, how does the search know which jobs should be run in which timeframes?

Ashwini008
Builder

@ITWhisperer That's correct. That is the challenge i am facing on how to check only specific jobs at specific interval. Can we write a query to check the condition only between 9:30 PM to 10: 30 PM

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could force your search to only return results (if there are any) when it is between certain times

| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m")

Ashwini008
Builder

@ITWhisperer Thank You how do i exclude weekends from the query?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| where now()>relative_time(now(),"@d+21h+30m") AND now()<relative_time(now(),"@d+22h+30m") AND now()>relative_time(now(),"@w+1d") AND now()<relative_time(now(),"@w+6d")

Ashwini008
Builder

@ITWhisperer I guess we can accept Answer only once per post! Anyway Thank You 🙂

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...