Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with Splunk Query

nilbak1
Communicator
‎07-25-2020 02:12 AM

Hi All.

I need help with Splunk Query for below scenario:

I need to show the status of my cronjob in below format.

StarttimeFinishTImeCurrentStatus
Time when Job StartsTime when Job FinishesStarted/Running/Finished

 

Start:-
INFO | jvm 1 | main | 2020/07/16 03:30:08.407 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Found 13 set of files to process

End:-
INFO | jvm 1 | main | 2020/07/16 04:21:57.914 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Ended . RESULT :true

In between there are many lines for which status should be running..

Thanks in dvance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2020 05:33 AM

Hi

This works with one batch, if there are more, then you need to update that query.

| makeresults
| eval _raw="INFO | jvm 1 | main | 2020/07/16 03:30:08.407 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Found 13 set of files to process
INFO | jvm 1 | main | 2020/07/16 04:21:57.914 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Satus . RESULT :true
INFO | jvm 1 | main | 2020/07/16 04:21:57.914 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Ended . RESULT :true"
| multikv noheader=t
| eval jvm=Column_3, step=Column_6
| rex "Ended\s+\.\s+RESULT\s+:(?<result>\w+)"
| rex "Found\s+(?<noFiles>\d+) set of files to process"
| stats earliest(_time) as Starttime latest(_time) as FinishTime count as noStatus values(result) as result values(noFiles) as noFiles by jvm step
| eval CurrentStatus = case(isnotnull(result), "Finished", noStatus > 1, "Running", isnotnull(noFiles), "Started", true(), "Unkown status")
| eval Starttime = strftime(Starttime, "%c"), FinishTime = strftime(FinishTime, "%c")
| table Starttime FinishTime CurrentStatus

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2020 03:34 AM

Hi

is the “jvm 1” and “main” same for all steps in one job? How you can separate the another jobs on log files/events?

r. Ismo

0 Karma
Reply
Solved! Jump to solution

nilbak1
Communicator
‎07-25-2020 04:53 AM

Yes , its same for all the the events.
I am using the common string in the search query for the job for which I want to print the below message.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2020 05:33 AM

Hi

This works with one batch, if there are more, then you need to update that query.

| makeresults
| eval _raw="INFO | jvm 1 | main | 2020/07/16 03:30:08.407 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Found 13 set of files to process
INFO | jvm 1 | main | 2020/07/16 04:21:57.914 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Satus . RESULT :true
INFO | jvm 1 | main | 2020/07/16 04:21:57.914 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Ended . RESULT :true"
| multikv noheader=t
| eval jvm=Column_3, step=Column_6
| rex "Ended\s+\.\s+RESULT\s+:(?<result>\w+)"
| rex "Found\s+(?<noFiles>\d+) set of files to process"
| stats earliest(_time) as Starttime latest(_time) as FinishTime count as noStatus values(result) as result values(noFiles) as noFiles by jvm step
| eval CurrentStatus = case(isnotnull(result), "Finished", noStatus > 1, "Running", isnotnull(noFiles), "Started", true(), "Unkown status")
| eval Starttime = strftime(Starttime, "%c"), FinishTime = strftime(FinishTime, "%c")
| table Starttime FinishTime CurrentStatus
0 Karma
Reply
Solved! Jump to solution

nilbak1
Communicator
‎07-27-2020 05:30 AM

Thanks a ton.
It worked like a gem.

I am able to create Splunk query based on you suggestion.
Thanks again

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...