Splunk Search

How to search, extract and table fields from deployment object log events

chrismok
Path Finder

Currently, I get some deployment object log event like this

App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920

How can I handle this structure to a row as the following result

Module | Start Date| Elapse Time| Status|
App1 ,20140911.0933.5920, 00:00:13 | Success
App2, 20140911.0943.1231, 00:00:13 | Success
App2, 20140911.0934.5920, -- | In Progress

Tags (3)
0 Karma

kml_uvce
Builder

your data is not constant and any app may come in next line... so better to break event in every new line.
then extract fields from every event like this for App1(if there is no field in iin any event then it will be empty)
module=App1
start_date=20140911.0933.5920
elapse_time=13.708
status=success

use this search
|transaction module

Hope this will help for you

0 Karma

chrismok
Path Finder

I am not sure how to write this query as I am beginning-er in Splunk.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Is this really one event, or three? In other words this is about three different app actions -- does it make sense to store it as one event for other reasons?

Do you know how many app items will be in your events ahead of time?

0 Karma

chrismok
Path Finder

Hi Jrodman,

Basically, there is not the one event.

Once the deployment is starting, all deployment programs will write the log to the C:\Deployment Log\build.log.

As a result, I won't know how many app items in the deployment.

In additional, most than one app will deploy in this time, so I cannot use LINE_BREAKER in props.conf

The log may look like that

 App1.start=20140911.0933.5920
 App2.start=20140911.0933.5920
 App1.upload=success
 App1.upload.time=13.708 sec
 App2.upload=success
 App3.start=20140911.0934.5920
 App2.upload.time=13.708 sec
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...