Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search, extract and table fields from deployment object log events

chrismok
Path Finder
‎09-13-2014 01:52 AM

Currently, I get some deployment object log event like this

App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920

How can I handle this structure to a row as the following result

Module | Start Date| Elapse Time| Status|
App1 ,20140911.0933.5920, 00:00:13 | Success
App2, 20140911.0943.1231, 00:00:13 | Success
App2, 20140911.0934.5920, -- | In Progress

Tags (3)
0 Karma
Reply

kml_uvce
Builder
‎09-14-2014 03:22 AM

your data is not constant and any app may come in next line... so better to break event in every new line.
then extract fields from every event like this for App1(if there is no field in iin any event then it will be empty)
module=App1
start_date=20140911.0933.5920
elapse_time=13.708
status=success

use this search
|transaction module

Hope this will help for you

kamal singh bisht
0 Karma
Reply

chrismok
Path Finder
‎09-15-2014 04:06 AM

I am not sure how to write this query as I am beginning-er in Splunk.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-14-2014 01:25 AM

Is this really one event, or three? In other words this is about three different app actions -- does it make sense to store it as one event for other reasons?

Do you know how many app items will be in your events ahead of time?

0 Karma
Reply

chrismok
Path Finder
‎09-14-2014 01:45 AM

Hi Jrodman,

Basically, there is not the one event.

Once the deployment is starting, all deployment programs will write the log to the C:\Deployment Log\build.log.

As a result, I won't know how many app items in the deployment.

In additional, most than one app will deploy in this time, so I cannot use LINE_BREAKER in props.conf

The log may look like that 

 App1.start=20140911.0933.5920
 App2.start=20140911.0933.5920
 App1.upload=success
 App1.upload.time=13.708 sec
 App2.upload=success
 App3.start=20140911.0934.5920
 App2.upload.time=13.708 sec
0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...