×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
parthmadane
Explorer
Member since: ‎04-29-2021
‎04-30-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎04-29-2021
View All

Re: How to compare events using two values of a mu...

by in Splunk Search
‎04-30-2021 05:20 AM
‎04-30-2021 05:20 AM
Hello @ITWhisperer , I think the information provided by me earlier, was a bit ambiguous. Basically, there is one event each generated w.r.t the JOB. For e.g. when it starts, then runs, some other values, stops. When the events are of such nature, the given solution does not work. I have made some changes to your sample events to better replicate mine. | makeresults | eval event="A,started:A,running:A,other unnecessary value:A,stopped:B,started:B,running:B,other unnecessary value:C,started:C,running:C,other unnecessary value:C,stopped" | eval event=split(event,":") | mvexpand event | eval job=mvindex(split(event,","),0) | eval status=split(mvindex(split(event,","),1),";") | fields job status | fields - _time | search status!=stopped status=started You will notice that both the status!=stopped status=started and status=started are returning the same result in this (my) scenario. Is there any way to compare the events and only return those jobs that are only in started and have not stopped yet. Your help in this regard is appreciated 🙂 ... View more

Re: How to compare events using two values of a mu...

by in Splunk Search
‎04-29-2021 07:30 AM
‎04-29-2021 07:30 AM
Hello @ITWhisperer, This won't work for 2 reasons. First, it will only list out the started jobs again, i.e.  Job A Job B Job C Secondly, as I said, JOB_STATUS is a multi-value field thus, it also contains some other unnecessary values. Which causes JOB_STATUS!=stopped to list again ONLY the started jobs and also job events for the other status values. ... View more

How to compare events using two values of a multi-...

by in Splunk Search
‎04-29-2021 07:05 AM
‎04-29-2021 07:05 AM
Hello all,  I have been struggling for a while now to create a query for comparing the events using two different values of a multi-value field.  For starter - We have certain jobs running for which their status is to be monitored. Below is an example of query/data - Query - source=src_name sourcetype=application Job_Name=*  JOB_STATUS=started Output - Job A      Job B Job C Query - source=src_name sourcetype=application Job_Name=*  JOB_STATUS=stopped Output - Job A Job C JOB_STATUS is the multi-value field that gives the respective Job's status after it starts running i.e. "Started." If the Job run is successful then it will be stopped, thus, there will be an event for that JOB with status as "Stopped". Else, the Job will remain in started state and so, there'll only be a "Started" event present for that JOB. What I need help with? I need a query that can compare and give the list of those Jobs that are only started and not stopped yet. Example Query -  source=src_name sourcetype=application {-- query Return jobs that are only in started and not stopped yet --} Required Output - Job B   Please help out! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-30-2021 10:48 AM
Karma given to
View All