Splunk Search

How to coalesce events with different values for status field?

x213217
Explorer

I have this search that will display the following

index=autosys source= jobName=
| where statusText="SUCCESS" OR statusText="RUNNING" OR statusText="FAILURE" OR statusText="JOBFAILURE"
| eval startTime=if(statusText=="RUNNING",timestamp,null)
| eval failureTime=if(statusText=="FAILURE",timestamp,null)
| eval successTime=if(statusText=="SUCCESS",timestamp,null)
| streamstats last(successTime) as prev_successtime,last(failureTime) as prev_failuretime,last(startTime) as prev_startTime current=f window=1
| table jobName startTime successTime failureTime
| rename startTime as "Start Time" successTime as "Success Time" failureTime as "Failure Time"

alt text

I would like to have the most recent startTime match up with the latest SuccessTime or FailureTime in the same row. Is this possible?

0 Karma

woodcock
Esteemed Legend

Just add this to the end:

| selfjoin jobName

You can also do this:

| stats values(*) AS * BY jobName
0 Karma

grittonc
Contributor

Does this job only run once per day?

0 Karma

x213217
Explorer

this one in particular yes, but there will be ones that run on a variety of schedules

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...