Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search, extract and table fields from deployment object log events

chrismok
Path Finder
‎09-13-2014 01:52 AM

Currently, I get some deployment object log event like this

App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920

How can I handle this structure to a row as the following result

Module | Start Date| Elapse Time| Status|
App1 ,20140911.0933.5920, 00:00:13 | Success
App2, 20140911.0943.1231, 00:00:13 | Success
App2, 20140911.0934.5920, -- | In Progress

Tags (3)
0 Karma
Reply

kml_uvce
Builder
‎09-14-2014 03:22 AM

your data is not constant and any app may come in next line... so better to break event in every new line.
then extract fields from every event like this for App1(if there is no field in iin any event then it will be empty)
module=App1
start_date=20140911.0933.5920
elapse_time=13.708
status=success

use this search
|transaction module

Hope this will help for you

kamal singh bisht
0 Karma
Reply

chrismok
Path Finder
‎09-15-2014 04:06 AM

I am not sure how to write this query as I am beginning-er in Splunk.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-14-2014 01:25 AM

Is this really one event, or three? In other words this is about three different app actions -- does it make sense to store it as one event for other reasons?

Do you know how many app items will be in your events ahead of time?

0 Karma
Reply

chrismok
Path Finder
‎09-14-2014 01:45 AM

Hi Jrodman,

Basically, there is not the one event.

Once the deployment is starting, all deployment programs will write the log to the C:\Deployment Log\build.log.

As a result, I won't know how many app items in the deployment.

In additional, most than one app will deploy in this time, so I cannot use LINE_BREAKER in props.conf

The log may look like that 

 App1.start=20140911.0933.5920
 App2.start=20140911.0933.5920
 App1.upload=success
 App1.upload.time=13.708 sec
 App2.upload=success
 App3.start=20140911.0934.5920
 App2.upload.time=13.708 sec
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...