How to get only latest try of a job?

splunkuser320 · ‎12-06-2022

I need to show only the results of the job. Job try multiple times in case of failure. So if the job passed on 3rd attempt then I do not want to include it in the failed job counter.

Sample logs

{"id":"1", "status": "Failed","retry":"1"}

{"id":"1", "status": "Failed","retry":"2"}

{"id":"1", "status": "Failed","retry":"4"}

{"id":"1", "status": "Failed","retry":"5"}

{"id":"2", "status": "Passed","retry":"1"}

{"id":"3", "status": "Failed","retry":"1"}

{"id":"3", "status": "Passed","retry":"1"}

In the above example counter should show value 0f 1 since only job 1 is failed in last try

richgalloway · ‎12-06-2022

Use | dedup id to keep only the first event for each job ID. Since Splunk processes events in reverse time order, the first event seen is the most recent one.

---
If this reply helps you, Karma would be appreciated.

splunkuser320 · ‎12-07-2022

Thanks for the reply. I only want to show the results of the failed job, so If the last attempt is successful, I want to exclude it.

VatsalJagani · ‎12-07-2022

@splunkuser320 - Filter for the failed job before you dedup.

index=<whatever> <any-other-search-filters>
| search status="Failed" | dedup id

Hope this helps. Kindly accept the answer and upvote the answer if this helps!!!

How to get only latest try of a job?

eval

stats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms