Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search, extract and table fields from deployment object log events

chrismok
Path Finder
‎09-13-2014 01:52 AM

Currently, I get some deployment object log event like this

App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920

How can I handle this structure to a row as the following result

Module | Start Date| Elapse Time| Status|
App1 ,20140911.0933.5920, 00:00:13 | Success
App2, 20140911.0943.1231, 00:00:13 | Success
App2, 20140911.0934.5920, -- | In Progress

Tags (3)
0 Karma
Reply

kml_uvce
Builder
‎09-14-2014 03:22 AM

your data is not constant and any app may come in next line... so better to break event in every new line.
then extract fields from every event like this for App1(if there is no field in iin any event then it will be empty)
module=App1
start_date=20140911.0933.5920
elapse_time=13.708
status=success

use this search
|transaction module

Hope this will help for you

0 Karma
Reply

chrismok
Path Finder
‎09-15-2014 04:06 AM

I am not sure how to write this query as I am beginning-er in Splunk.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-14-2014 01:25 AM

Is this really one event, or three? In other words this is about three different app actions -- does it make sense to store it as one event for other reasons?

Do you know how many app items will be in your events ahead of time?

0 Karma
Reply

chrismok
Path Finder
‎09-14-2014 01:45 AM

Hi Jrodman,

Basically, there is not the one event.

Once the deployment is starting, all deployment programs will write the log to the C:\Deployment Log\build.log.

As a result, I won't know how many app items in the deployment.

In additional, most than one app will deploy in this time, so I cannot use LINE_BREAKER in props.conf

The log may look like that 

 App1.start=20140911.0933.5920
 App2.start=20140911.0933.5920
 App1.upload=success
 App1.upload.time=13.708 sec
 App2.upload=success
 App3.start=20140911.0934.5920
 App2.upload.time=13.708 sec
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...