Looking for multiple results in query

pshangguan · ‎10-15-2018

I have the following query I use to get the latest status and time(_time).

index=jenkins |spath job_name | search job_name="job/utl-dataflow-check-TST6/" | sort -_time | stats latest(job_result) as status, latest(_time) as tst6t

Now, I want to get the time(_time) of the job that run successfully -> job_result=SUCCESS. I wanyt to seew if I can get those two times from the same query and display them inside the same dashboard panel. I tried different ways and could not get it working.

Thanks!

Vijeta · ‎10-15-2018

Try this :-

ME TOO
I have the following query I use to get the latest status and time(_time).

‘index=jenkins |spath job_name | search job_name="job/utl-dataflow-check-TST6/" | sort -_time | stats latest(job_result) as status, latest(eval(job_result=“SUCCESS”)) ,latest(_time) as tst6t`

pshangguan · ‎10-15-2018

I changed it to:

stats latest(job_result) as dev2status, latest(_time=if(eval(job_result=“SUCCESS”))) as dev2st, latest(_time) as dev2t

It did not pickup the _time for the latest successful job run...

Vijeta · ‎10-15-2018

Can you do this and see if it suffices your requirement-

stats  latest(_time) as tst6t` by job_result

pshangguan · ‎10-15-2018

I used "latest(_time) as dev2st by job_result" in the stats command and the it did not get anything. I am getting "no results found" in the panel.

Vijeta · ‎10-15-2018

Are you using this query?

    index=jenkins |spath job_name | search job_name="job/utl-dataflow-check-TST6/" | stats latest(_time) as tst6t by job_result

pshangguan · ‎10-15-2018

index=jenkins |spath job_name | search job_name="job/utl-dataflow-check-DEV2/" | sort -_time | stats latest(job_result) as dev2status, latest(_time) as dev2st by job_result, latest(_time) as dev2t

Vijeta · ‎10-15-2018

Please try with the above query in my comments

pshangguan · ‎10-15-2018

How can I get two time values? one for the latest run, and one for the success run in your query?

Vijeta · ‎10-15-2018

you will get the latest time for each unique value in job_result. Once you get that you need to sort - dev2t. This will give you the latest job result name and also the row with value SUCCESS will give you latest time for success.

Can you paste your results here with the above query

pshangguan · ‎10-16-2018

I got two results:

job_result . tst6t
FAILURE . 1539707765.083
SUCCESS . 1539704175.318

Vijeta · ‎10-16-2018

This gives you the latest time of Failure and Success and if you sort - tst6t, it will give you the latest event among the 2 events.
Also you can convert the time in yyyy/mm/dd format using below command at end of yiur query

| eval tst6t = strftime(tst6t,"%Y/%m/%d %H:%M:%S")

pshangguan · ‎10-16-2018

tst6t only have the two times, how do i know which one is for "SUCCESS" and whicch one is for "FAILURE"?

Vijeta · ‎10-16-2018

You have the job_result column in your output against the time .

pshangguan · ‎10-18-2018

sorry i am not sure how to retrieve them individually as i am new to splunk and xml 🙂

Vijeta · ‎10-18-2018

I am not sure what your end goal is , the output you have is which gives you latest time of each job_result. Please specify what you need to do with this data

job_result . tst6t
FAILURE . 1539707765.083
SUCCESS . 1539704175.318

pshangguan · ‎10-18-2018

I want to display the last run time in the panel title field, and the last success run time in the single value title field.

pshangguan · ‎10-18-2018

In another word, I want to do something like:

tst6t_success_time and tst6t_failure_time are from tst6t. No idea how to pick them up from tst6t...

Looking for multiple results in query

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team