Splunk Search
Highlighted

How to extract field and check if the value is greater than 300 for the last job?

Path Finder

Hello,

I have log that contains this value :

<0> 10/03/19 16:55:00 : Maintenance counter "UV Calibration" Value is: 31 hours.

I need to check if this value is greater than 300 for the last job
so for example if at 10.3.19 16:55:00 it was 300 and than at 10.3.19 16:56:00 it was 1 than it is not interesting me
but if at 10.3.19 16:55:00 it was 300 and than at 10.3.19 16:56:00 it was 301 i want to raise an alert and show it in table

How can i extract this field and calculate this ?

thanks

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Ultra Champion

You can do a search time extraction like this:

[your search]|rex "Value\sis\:\s(?P<calibration_duration>\d+)\shours"|table _time calibration_hours

Should give you a listing of all the times, and the calibration durations

If I understand the second part, you want to trigger an alert if two consecutive events are >300 ?

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Path Finder

sorry but i probably did not understand it correctly because this rex returns no results
what should be "calibrationduration" and "calibrationhours"?

about the second part, yes

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Path Finder

i tried again your solution
since i have few rows that contains the string "value" im getting result of the first one which is not the correct one
for example:

<0> 25/02/19 18:41:22 : Maintenance counter "Model 2 Left Pump" Value is: 9 hours.
... 48 lines omitted ...
<0> 25/02/19 18:41:22 : Maintenance counter "PM is Due" Value is: 117 hours.
<0> 25/02/19 18:41:22 : Maintenance counter "UV Calibration" Value is: 12 hours.

your solution will return the value '9'

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Path Finder

UV Calibration" Value is: 17 hours. will return this value: calibration_duration=4375
can you please explain to me what is this number?
maybe you can explain to me the meaning of the regex ?
many thanks !

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

SplunkTrust
SplunkTrust

Will there be logs for only one job? Are you always comparing 2 most recent job execution logs or it can be any two consecutive job execution?

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Path Finder

well.. the log file can contain many jobs log, from many times
but i will always compare 2 recent jobs, yes

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

SplunkTrust
SplunkTrust

Where are the job names appear in the log? In your sample data, is 31 (which is followed by hours) is the value you want to capture/compare?

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Path Finder

well.. i need to check with our analysts where the job name so i will get back to you but for your second Q, yes, 31 is the value i want to capture

0 Karma
Highlighted

Re: How to extract field and check if the value is greater than 300 for the last job?

Path Finder

hi, i checked and the job name is iirelevant but i have sirial number that i can use

0 Karma