I have this search that will display the following
index=autosys source= jobName=
| where statusText="SUCCESS" OR statusText="RUNNING" OR statusText="FAILURE" OR statusText="JOBFAILURE"
| eval startTime=if(statusText=="RUNNING",timestamp,null)
| eval failureTime=if(statusText=="FAILURE",timestamp,null)
| eval successTime=if(statusText=="SUCCESS",timestamp,null)
| streamstats last(successTime) as prev_successtime,last(failureTime) as prev_failuretime,last(startTime) as prev_startTime current=f window=1
| table jobName startTime successTime failureTime
| rename startTime as "Start Time" successTime as "Success Time" failureTime as "Failure Time"
I would like to have the most recent startTime match up with the latest SuccessTime or FailureTime in the same row. Is this possible?
Just add this to the end:
| selfjoin jobName
You can also do this:
| stats values(*) AS * BY jobName
Does this job only run once per day?
this one in particular yes, but there will be ones that run on a variety of schedules