Currently, I get some deployment object log event like this
App1.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.start=20140911.0933.5920
App2.upload=success
App2.upload.time=13.708 sec
App3.start=20140911.0934.5920
How can I handle this structure to a row as the following result
Module | Start Date| Elapse Time| Status|
App1 ,20140911.0933.5920, 00:00:13 | Success
App2, 20140911.0943.1231, 00:00:13 | Success
App2, 20140911.0934.5920, -- | In Progress
your data is not constant and any app may come in next line... so better to break event in every new line.
then extract fields from every event like this for App1(if there is no field in iin any event then it will be empty)
module=App1
start_date=20140911.0933.5920
elapse_time=13.708
status=success
use this search
|transaction module
Hope this will help for you
I am not sure how to write this query as I am beginning-er in Splunk.
Is this really one event, or three? In other words this is about three different app actions -- does it make sense to store it as one event for other reasons?
Do you know how many app items will be in your events ahead of time?
Hi Jrodman,
Basically, there is not the one event.
Once the deployment is starting, all deployment programs will write the log to the C:\Deployment Log\build.log.
As a result, I won't know how many app items in the deployment.
In additional, most than one app will deploy in this time, so I cannot use LINE_BREAKER in props.conf
The log may look like that
App1.start=20140911.0933.5920
App2.start=20140911.0933.5920
App1.upload=success
App1.upload.time=13.708 sec
App2.upload=success
App3.start=20140911.0934.5920
App2.upload.time=13.708 sec