Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

whats preventing me to get the desired output

pench2k19
Explorer
‎07-25-2019 03:54 AM

Hi Team,

I am not able to get the values for SLA Time and time_diff_epoch.

when i am running two queirs indvidually i am receivng the results.

index=XXX sourcetype="XXX"
| rex "info\s:\s\+{4}\s(?<job_status>\w+)\s\+{4}"  max_match=0
| eval status=mvindex(job_status,-1)
| eval time=strptime(CNAPP_entime, "%Y-%m-%d-%H-%M-%S") 
| eval Starttime=strftime(time,"%m/%d/%y %H:%M:%S") 
| eval Endttime=strftime(time,"%Y-%m-%d %H:%M:%S")  
| where status!="" |  search status="COMPLETED"  
| rename  "CNAPP_AutosysJobName" as "Autosys Job" 
| lookup CNAPP_Joblevel_details.csv "Autosys Job" OUTPUT "SLA Time"
| eval Endttime_epoch=strptime(Endttime,"%Y-%m-%d %H:%M:%S") 
| eval sla_time_epoch =strptime("SLA Time","%Y-%m-%d %H:%M:%S") 
| eval time_diff_epoch = sla_time_epoch - Endttime_epoch
|  where  NOT like (time_diff_epoch,"-%" ) 
| table  "Autosys Job" "Endttime" "SLA Time" time_diff_epoch

can anyone tell, why am i getting this problem, it worked well before few days, now its having some problem.

@jkat54 @somesoni2 @woodcock

0 Karma
Reply

woodcock
Esteemed Legend
‎07-26-2019 03:40 PM

You did not show us the "individual queries" that are "receiving the results".

0 Karma
Reply

woodcock
Esteemed Legend
‎07-26-2019 03:37 PM

Try this (field names with spaces are EVIL😞

index=XXX sourcetype="XXX"
| rex "info\s:\s+{4}\s(?\w+)\s+{4}" max_match=0
| eval status=mvindex(job_status,-1)
| eval time=strptime(CNAPP_entime, "%Y-%m-%d-%H-%M-%S")
| eval Starttime=strftime(time,"%m/%d/%y %H:%M:%S")
| eval Endttime=strftime(time,"%Y-%m-%d %H:%M:%S")
| search status="COMPLETED"
| rename "CNAPP_AutosysJobName" AS "Autosys Job"
| lookup CNAPP_Joblevel_details.csv "Autosys Job" OUTPUT "SLA Time"
| eval sla_time_epoch =strptime("SLA Time","%Y-%m-%d %H:%M:%S")
| eval time_diff_epoch = sla_time_epoch - time
| table "Autosys Job" "Endttime" "SLA Time" time_diff_epoch
0 Karma
Reply

jpolvino
Builder
‎07-25-2019 05:06 AM

Are you certain you are getting a row back from your lookup? Check the field "Autosys Job" that is just prior to your lookup. Also for what it's worth, you should consider using field names that don't have spaces so you avoid having to double quote them. Then at the end, you can rename to a more human readable format. This can save a lot of headaches.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...