Splunk Search

Search through only failing logs - Jenkins

ddaly
Engager

I am trying to speed up a search on Splunk. The search looks through millions of logs for matches to around 100 event types (each event type has multiple strings to match) so it has ended up being very slow.

The original search I have is:

 

eventtype=fail_type* source="*console" host = $jenkins_server$  | timechart count by eventtype

 

Which plots a timechart of the different types of fails in the console logs of jenkins which is what I want.

I tried to speed up the job by getting it to only look through logs from failing jobs. I can get a table of failing console logs using the search below but if I try to use those console paths for a new search by adding "| search source=console_path" it doesn't work

 

event_tag="job_event" host = $jenkins_server$
| eval job_result=if(type="started", "INPROGRESS", job_result) `utc_to_local_time(job_started_at)`
| search (job_result=FAILURE OR job_result=UNSTABLE OR job_result=ABORTED)
| eval console_path= "*" + build_url + "console*"
| table console_path build_url job_result

 

Apricate any help or suggestions for other ways to speed up the search

Labels (2)
Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

You should be able to use results from your 2nd search (failed jenkins jobs) to your main search as long as field names and values are matching between those two. 

 

base search criteria for YourMainSearch [search YourSubSearch | limit the output fields to only field that is available on YourMainSearch ]

View solution in original post

Tags (1)

somesoni2
Revered Legend

You should be able to use results from your 2nd search (failed jenkins jobs) to your main search as long as field names and values are matching between those two. 

 

base search criteria for YourMainSearch [search YourSubSearch | limit the output fields to only field that is available on YourMainSearch ]
Tags (1)

ddaly
Engager

Thank you! It took a bit of figuring out but here's the command that eventually worked. It's about 3.5 times quicker than before.

eventtype=fail_type* [search host = $jenkins_server$ index=jenkins_console source="*console"  "Finished: ABORTED" OR "Finished: FAILURE" OR "Finished: UNSTABLE" 
| table source] 
| timechart count by eventtype
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...