How to set the alert to run from 26 of last month to 25 of current month. Say example, Every month at day 1 I will run monthly report, for the run on December month the period should be 26th of October to 25th of November. Please guide on the same. ... View more

Hi All, I wan to run a query on every Monday morning 6AM. For this run I want set the days span as from Last Monday to Sunday. Say example, If I am running the query on 11/06/2017 morning 6 AM, I want my query to run staring from 10/30/2017 to 11/05/2017. As W0 is stands for Sunday and W1 is stands for Monday, I could not able to set W1 to earliest and W0 to latest. Is there any other ways do this. Any kind help is much appreciated. ... View more

I want to monitor my dashboard from today 7 Am to tomorrow 5 AM. I don't want to set the time manually. FYI, My dashboard contains list of jobs running from 7AM to next day 5AM. I need to monitor the progress continuously, so set up the auto refresh on every 5 minutes. Now I want to set the time in such a way that it will take the start time as 7AM today and end time is now or next day 5AM during every refresh. Please take a look and let me know the possibilities. Thanks in advance!! ... View more

I am having a dashboard comprised of 2 panels. I want to export and sent both of the panels result as CSV attachment via email whenever required. Single file with couple of tab OR two different files are fine. The dashboard should work in such a way that once I enter the date and time range and submit, the panels results should be delivered to given email address as attachment. Please guide me on the possibilities to adopt this scenario. ... View more

My requirement is to group events (list of jobs) based on their status. The status value starts with RUNNING and may end with SUCCESS OR FAILURE. I want make a table which shows the list of jobs along with the start time, end time, and current status (whether RUNNING, SUCCESS, OR FAILURE) My table should display RUNNING status until the job ends up with SUCCESS or FAILURE. In case any one of the jobs is FAILED, the status should be FAILURE. Once the issue is fixed and the same job is status=SUCCESS, I want my table to display SUCCESS. It should be a single entry for the job. Not separate entry for the failed one and the success one. I have tried two methods as mentioned below, but I'm finding a defect in both of the methods. Method 1: index=XXX sourcetype=yyy autosys_job=* autosys_status=* | transaction autosys_job keepevicted=true startswith=RUNNING endswith=eval((match autosys_status, "SUCCESS") OR (match autosys_status, "FAILURE")) |eval starttime=_time | eval endtime=_time+duration | stats last(autosys_status) AS CurrentStatus by autosys_job starttime endtime The issue I am facing with this method is in case of any job getting failed and then running to success after sometime. There are separate entries displayed for the FAILED and SUCCESS, but I don't want to display the failed entry once it is run to success. Method 2: index=XXX sourcetype=yyy autosys_job=* autosys_status=* | stats latest(autosys_status) AS currentstatus, earliest(_time) AS Starttime, latest(_time) AS Endtime by autosys_job Issue I have an issue with this method when the cause is failing. i.e. one job starts running then fails and after some time it is running to success. Here start time in the query takes initial start time (failed one) and endtime in the query takes the latest time from success one. But I want to display the start time and end time for the success run. Please let me know how can I resolve this one. ... View more

I am having a dashboard which comprises of several panels. It serves the monitoring of set of jobs. Jobs cycle started at every day 7 AM and completes around next day 5 AM. Say Example 07/18/2017 7AM to 07/19/2017 5AM. So i want to set the earliest time at 7 am at any point time throughout the cycle. I may run the dashboard at 07/18/2017 8AM 8.30AM 9AM and so on. It may continue till 07/19/2017 02AM, 02.30AM 3AM 3.30AM, 4.30AM and so on. So whenever i am running my dashboard it should from 7AM whether on the same day or next day. Please advice the feasibility on the same. ... View more

I want to do something like this, referer_domain is the field i want to extract to create a new field. I want to rex the google as one field and bing as another field, Say example google as Test and bing as Test1 referer_domain http://www.bing.com http://www.buttercupgames.com http://www.google.com http://www.yahoo.com https://www.google.com https://www.bing.com I did something like this, which is not working out, index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?<Test>google)" | rex field=referer_domain "(?<Test1>bing)" | stats count by Test Test1 host I can see single extraction is working fine as expected(the below query), but not the double one. Is it not allowed in splunk or am i missing out any syntax? index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?<Test>google)" | stats count by Test Test1 host ... View more

I am having below requirements to be merged to create a dashboard/Report. Need to append my search result to the list of jobs in the look up table. I am having look up table which contains list of jobs. I want to create a table which contains the list of jobs mentioned in my lookup along with its starting and end time. So I created something like this, index=xxx sourcetype=yyy autosysjob=* [mylookup.csv] | stats latest(_time) as ActualEndTime, earliest(_time) as ActualStartTime, latest(Jobstatus) as CurrentStatus by autosysjob | sort by StartTime The above query resulting in a table like below, autosysjob -ActualStartTime -ActualEndTime -CurrentStatus Job1 - 07/01/2017 10:51 - - 07/01/2017 10:55 -SUCCESS Job2 - 07/01/2017 10:51 - - 07/01/2017 11:20 -RUNNING Job3 - 07/01/2017 10:51 - - 07/01/2017 10:53 -SUCCESS I want to have two more field in this table The time mentioned in the above table is actual start and end time based on the completion. I want have Expected start and end time (which is static value) in the above table. As mentioned below, autosysjob -ExpectedStartTime -ExpectedEndTime -ActualStartTime -ActualEndTime CurrentStatus Job1 - 07/01/2017 10:30 - 07/01/2017 10:55 - 07/01/2017 10:40 - - 07/01/2017 10:50 -SUCCESS Job2 - 07/01/2017 10:50 - 07/01/2017 11:30 - 07/01/2017 10:51 - - 07/01/2017 11:10 -RUNNING Job3 - 07/01/2017 09:00 - 07/01/2017 10:30 - 07/01/2017 09:00 - - 07/01/2017 10:15 -SUCCESS My next requirement is Adding one more field based on the Value of CurrentStatus field as mentioned below. autosysjob -ExpectedStartTime -ExpectedEndTime -ActualStartTime -ActualEndTime CurrentStatus -Action Job1 - 07/01/2017 10:30 - 07/01/2017 10:55 - 07/01/2017 10:40 - - 07/01/2017 10:50 -SUCCESS - No Job2 - 07/01/2017 10:50 - 07/01/2017 11:30 - 07/01/2017 10:51 - - 07/01/2017 11:10 -RUNNING - Monitor Job3 - 07/01/2017 09:00 - 07/01/2017 10:30 - 07/01/2017 09:00 - - 07/01/2017 10:15 -SUCCESS - No Job4 - 07/01/2017 10:30 - 07/01/2017 10:55 - 07/01/2017 10:40 - - 07/01/2017 10:50 -FAILURE - Critical Job5 - 07/01/2017 10:50 - 07/01/2017 11:30 - 07/01/2017 10:51 - - 07/01/2017 11:10 -RUNNING - Monitor Job6 - 07/01/2017 09:00 - 07/01/2017 10:30 - 07/01/2017 09:00 - - 07/01/2017 10:15 -FAILURE - Critical And the above is my final table. Please help me out to get it done. Thank in advance! ... View more

I am having a csv file which contains some production server jobs name to monitor. I want to give those jobs listed in the file as a search string input to the splunk. Is there any way to achieve it? I cant put the Jobs in search as JOB1 OR JOB2 OR JOB3 OR and so on. But the job list is more than 60, so i am looking for a way to give all those job names as search input directly. Please let me know which command i need to use for this purpose. Thanks in Advance. ... View more

I am having lookup file with list of Jobs to be monitored. I want to create a table with the jobs name from lookup file (static) and starting time and ending time of those jobs. I will run this report every hour, whenever i am running it I want my table to get updated with the start time and end time values. Say example, 10.00AM Run Job Name - Start Time- End time Job1 -9:50 Job2 Job3 job4 - 9.10 -9.50 Job5 11:00AM Run Job Name - Start Time- End time Job1 -9:50 - 10:12 Job2 - 10:05 -10:20 Job3 - 10:15 - 10:55 job4 - 9:10 -9:50 Job5 - 10:50 12:00PM Run Job Name - Start Time- End time Job1 -9:50 - 10:12 Job2 - 10:05 -10:20 Job3 - 10:15 - 10:55 job4 - 9:10 -9:50 Job5 - 10:50 - 11:50 This is how i want to generate the table. Note- The logs for these jobs will be having the jobs name and job status like Starting, Running, Success OR Failure. I am using the lookup file because i only want to monitor the jobs listed in the lookup file. Thanks in Advance ... View more