Hi Team Can you please let me know why i am not able fetch the base_date in the dashoard using the below logic. Please help me to fix this issue. Splunk query : <input type="time" token="tim...
See more...
Hi Team Can you please let me know why i am not able fetch the base_date in the dashoard using the below logic. Please help me to fix this issue. Splunk query : <input type="time" token="time_token"> <label>TIME</label> <default> <earliest>-1d@d</earliest> <latest>@d</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query> | inputlookup V19_Job_data.csv | eval base_date = strftime(strptime("$time_token.earliest$", "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d") | eval expected_epoch = strptime(base_date . " " . expected_time, "%Y-%m-%d %H:%M") | eval deadline_epoch = strptime(base_date . " " . deadline_time, "%Y-%m-%d %H:%M") | join type=left job_name run_id [ search index = events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console system = EOCA host = ddebmfr.beprod01.eoc.net (( TERM(JobA) OR TERM(JobB) ) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval _time_epoch = _time | eval run_id=case( date_hour < 14, "morning", date_hour >= 14, "evening" ) | eval job_name=if(searchmatch("JobA"), "JobA", "JobB") | stats latest(_time_epoch) as job_time by job_name, run_id ] | eval buffer = 60 | eval status=case( isnull(job_time), "Not Run", job_time > deadline_epoch, "Late", job_time >= expected_epoch AND job_time <= deadline_epoch, "On Time", job_time < expected_epoch, "Early" ) | convert ctime(job_time) | table job_name, run_id, expected_time, expected_epoch , base_date, deadline_time, job_time, status</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest>