- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to run operations on values from a main search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a log file that shows the number of jobs that have been started by an application and the jobs that have been completed. I am trying to determine the jobs that are still running ("Jobs Started" - "Job completed"). I have tried the query below but it is not working:
$Request$ host="host*" Job complete | stats count as var1 | Append [ search $Request$ host="host*" Processing Job | stats count as var2] |eval diff=var1-var2 | table diff
Does anyone have ideas on how to accomplish this?
Thanks
Kafayat
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect that the subsearch is timing out if you're running it like that - that is to say, without specifying the index and sourcetype. It is enormously inefficient to run a search without specifying index and sourcetype. But maybe $Request$actually contains those; I obviously don't know. So step 1: ensure you are specifying index and sourcetype.
But step two will be to combine the two searches, especially since they both will be searching the same log. Here's a good way to combine them:
index=something sourcetype=whatever $Request$ host="host*" "Job complete" OR "Processing Job"
| stats count(eval(like(_raw, "%Job complete%"))) AS completed_count count(eval(like(_raw, "%Processing Job%"))) AS processing_count
| eval diff=completed_count - processing_count
| table diff
If the values "Job complete" and "Processing Job" are actually extracted out into a field at search time, you could make this even more efficient by replacing _raw in the stats line with the name of the field that contains those values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect that the subsearch is timing out if you're running it like that - that is to say, without specifying the index and sourcetype. It is enormously inefficient to run a search without specifying index and sourcetype. But maybe $Request$actually contains those; I obviously don't know. So step 1: ensure you are specifying index and sourcetype.
But step two will be to combine the two searches, especially since they both will be searching the same log. Here's a good way to combine them:
index=something sourcetype=whatever $Request$ host="host*" "Job complete" OR "Processing Job"
| stats count(eval(like(_raw, "%Job complete%"))) AS completed_count count(eval(like(_raw, "%Processing Job%"))) AS processing_count
| eval diff=completed_count - processing_count
| table diff
If the values "Job complete" and "Processing Job" are actually extracted out into a field at search time, you could make this even more efficient by replacing _raw in the stats line with the name of the field that contains those values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked flawlessly! Thank You
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
