Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to get unique values based on JobName or jobid?

athorat
Communicator
‎01-07-2016 01:13 PM

Hi

I am displaying a table which shows:

 table JobName, jobid, start, end ,diff

using the following search. How do I get unique values based on Job name or Job Id?
stats values(JobName) does not yield results. 

index=aap_prod sourcetype="HDP:PROD:OOZIE"  (":start:] with user-retry state" OR "@end***]Action updated in DB!")  | rex "TOKEN\[\] APP\[(?<JobName>[^\]]*)"  | rex "ACTION\[[^\@]*(?<Action>[^\d\]]*)" | rex "JOB\[?(?<jobid>[\d-]+)-" | streamstats current=f window=2 range(_time) as diff latest(_time) as end earliest(_time) as start| table JobName, jobid, start, end ,diff| eval start=strftime(start, "%c")|eval end=strftime(end, "%c")|eval diff=tostring(diff, "duration")| search diff!=0

Thanks for looking into this.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-07-2016 01:17 PM

Try dedup JobID

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-07-2016 01:17 PM

Try dedup JobID

0 Karma
Reply
Solved! Jump to solution

athorat
Communicator
‎01-08-2016 03:11 PM

@sundareshr
Thanks for the ans. i have posted another thread based on the same query. When I try to display a chart based on avg of JobRunTime for a specific jobname , the values shows way to high which does not match with the ones which we get from the above table.

is there a way I can display the correct values of JobRunTime for a specific job in a bar chart or a line for last 7 days or 30 days.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...