Splunk Search

How can I put the status into 1 when the log has "failed"?

shiranaka
New Member

I'm creating oracle RMAN chart and need the status when failed then the status should be 1 normally it should be 0.
For example,

index="oracle" BKUPTYPE OR ORACLE_NAME OR Starting OR complete | transaction source | rex "ORACLE_NAME\s*:\s*(?\w+)" | rex "BKUPTYPE\s*:\s*(?\w+)" | where BKUPTYPE != "ARCHIVE" | EVAL name_type = ORACLE_NAME+"_"+BKUPTYPE | EVAL duration=duration*1000 | EVAL status=??? | table _time, name_type, status, duration

Tags (1)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Try this:

eval status= if(match(_raw,"failed"), 1, 0)

View solution in original post

0 Karma

shiranaka
New Member

Hello
It's perfect for me and I could complete very useful dashboard for RMAN.
Thank you so much!

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Try this:

eval status= if(match(_raw,"failed"), 1, 0)

0 Karma

shiranaka
New Member

Hello
It's perfect for me and I could complete useful RMAN dashboard.
Thank you so much!

0 Karma

mayurr98
Super Champion

Hi how do you say that the log has failed? is there a status field or is there any search term?
also put your query in 101010 sample code .

0 Karma

shiranaka
New Member

Hello
"failed" is output into the log, normally "completed" without the status field..

Normally I just extract 4 rows like this.
2019-02-06 09:40:01>open_logs: ORACLE_NAME : xxx
2019-02-06 09:40:01>open_logs: BKUPTYPE : ARCHIVE
2019-02-06 09:40:19>do_backup: Starting ARCHIVE database backup...
2019-02-06 09:49:47>do_backup: Database backup complete.
It does not have any status field.

when failed, additionally something like below will be output into the log.
RMAN-03002: failure of recover command at 02/04/2019 23:07:19
ORA-19870: error while restoring backup piece /BACKUPS/xxx/budump/xxx_20190127_224906_1
ORA-19505: failed to identify file "/BACKUPS/xxx/budump/xxx_20190127_224906_1"
ORA-27037: unable to obtain file status
I need to make something like status field from the log above.

Thanks.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...