Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I write a search with a multifield value for job type and organization?

kteng2024
Path Finder
‎11-30-2017 03:00 PM

Hi there,

Below is the query for which i need the multi field value for job type and organization.

index=abc sourcetype=xyz source="/var/log/companies" Status=finished| eval  time=strptime(ScheduleTime, "%Y-%m-%d %H:%M:%S")
|eval st=strptime(WorkerStartTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval et=strptime(WorkerEndTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval duration = et - st| table Schedule_time , Type, Name, organization,  Host, length

output

Schedule_time               JobType          JobName        Organization                    Host                  length
2017-11-30 00:00:00.000       abc             compact              Google               apacheweb               73689.96
0 Karma
Reply

DalJeanis
Legend
‎12-01-2017 02:27 PM

To get that, you need to tell us what the incoming data looks like, exact field names and all.

You also need to get in the habit o aking sure to check the spelling and case of everything you code and post. Does organization have a capital "O" or not? Is the field called Name or JobName? Type or JobType? duration or length?

Here's a complete stab in the dark, which you'll have to adjust with the exact right spelling of the fields....

index=abc sourcetype=xyz source="/var/log/companies" Status=finished
| fields ScheduleTime WorkerStartTime WorkerEndTime, Organization, Host, JobType, JobName
| eval time=strptime(ScheduleTime, "%Y-%m-%d %H:%M:%S")
| eval st=strptime(WorkerStartTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval et=strptime(WorkerEndTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval DurationHrs = round( (et - st)/3600,2)
| table _time, ScheduleTime, JobType, JobName, Organization, Host, DurationHrs

Then, if you want to add up all those by JobType and JobName, then 

| stats min(_time) as _time sum(DurationHrs) as DurationHrs by JobType, JobName, Organization, Host

or 

| stats min(_time) as _time sum(DurationHrs) as DurationHrs values(JobName) as JobName by JobType, Organization, Host
0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 06:31 AM

You have not shown any data nor explained how your search is failing.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎11-30-2017 04:07 PM

Example data? Be sure to use the 101010 button to show the data exactly. If it is secured data, at least anonymize it, but example data is needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...