Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Search Optimization
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
As per business requirement, need to get below details from same autosys batch and corresponding outputs to be displayed on the single row in a table:
1. Last execution time
2. Execution time of specific search keyword i.e., Completed invokexPressionJob and obtained queue id ::
3. Number of times "ERROR" keyword present
index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"
| stats latest(_time) as latest_time
| convert ctime(latest_time)
| append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"
| search "Completed invokexPressionJob and obtained queue id ::"
| stats latest(_time) as last_success_time
| convert ctime(last_success_time)]
| append [search index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]"
| stats count(level) by level
| WHERE level IN ("ERROR")] | append [| makeresults | eval job_name="Print Job"]
| table latest_time last_success_time count(level) job_name
| stats list(*) as *
Above query works fine. From query performance prospective, am I achieving the output right way? Is there any other better to achieve it? Because, similar set to query I need to apply to 10 other batch jobs inside the Splunk dashboard. Kindly suggest!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using append is almost never the right solution - you are performing the same search three times and just collecting bits of info each time - this can be done in one search
index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"
| eval success_time=if(searchmatch("Completed invokexPressionJob and obtained queue id ::"), _time, null())
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]"
| stats latest(_time) as latest_time latest(success_time) as success_time sum(eval(if(level="ERROR",1, 0))) as errors
| convert ctime(latest_time)
| convert ctime(success_time)
success_time is determined if the event matches the criteria wanted and errors are calculated if the level is ERROR.
Not sure what you're trying to do with the final append with Print Job on a new row.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using append is almost never the right solution - you are performing the same search three times and just collecting bits of info each time - this can be done in one search
index="<indexid>" Appid="<appid>" host IN (<host01>) source="<log_path01>"
| eval success_time=if(searchmatch("Completed invokexPressionJob and obtained queue id ::"), _time, null())
| rex field=_raw "\s(?P<level>[^\/]+)\s\[main\]"
| stats latest(_time) as latest_time latest(success_time) as success_time sum(eval(if(level="ERROR",1, 0))) as errors
| convert ctime(latest_time)
| convert ctime(success_time)
success_time is determined if the event matches the criteria wanted and errors are calculated if the level is ERROR.
Not sure what you're trying to do with the final append with Print Job on a new row.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
