Hi,  I have set up an alert and under Actions, I have added 'Add to triggered Alerts'.  I would like to be able to use an API to retrieve the actual results of a specific triggered alert (Example, get the results of the alert triggered at 17.43.  I am using alerts/fired_alerts/<alert_name> but it just gives me the list of trigger history.  Is it possible to be able to retrieve the actual results? Preferably in JSON   ... View more

Hi,  I need to display an overall status in a dashboard (Single Value) based on results returned from my splunk queries.  Example: If all status OK - Overall status=OK If  one or more status is Failed and all other are OK (i.e no Job in Pending) - Overall Status=Failure If one or more status is in Failed and one or more is in Pending, Overall Status=Partial OK If all are Pending - Overall status=Pending Job Status A OK B OK C Failed D Pending   Any suggestions if the above is possible?  ... View more

Hi,  I have multiple files being delivered on a daily basis are in the below format: <filename>.<yyyymmdd>.xml - Example: price.daily.20201218.xml Example of an event when a file has been delivered is:   2020-12-11 06:17:47 INFO : File_created=/current/price.daily.20201210.xml; file_size=86324624 2020-12-11 06:17:47 INFO : File_created=/current/test.daily.20201210.xml; file_size=6896548 2020-12-11 06:17:47 INFO : File_created=/current/price.daily.sources.20201210.xml; file_size=48526     I am trying to build a query to check for some specific set of files (I'm not interested in all files), whether they have been delivered and report the status in a table.  To achieve this, I have a lookup file with Filename and Group as columns Filename Group price.daily Pricing price.daily.vendor Pricing price.daily.source Pricing test.daily Testing   I would like to have a table to display if the files belonging to group Pricing have been delivered for a specific date. Can anyone please advise the best way to achieve this? FileName Group Status Time price.daily.20201210.xml Pricing Delivered 2010-12-11 06.17.47 price.daily.vendor.20201210.csv Pricing Pending N.A price.daily.source.20201210.xml Pricing Delivered 2010-12-11 06.17.47 ... View more

Hi,  In my splunk events, I have multiple jobsNames and their corresponding statusText. For one jobName, there will be multiple events with different statusText.  I need to identify all jobNames where their latest/current status is 'Running' .  i.e For the latest entry for a  specific job, the status should be Running i tried the below, but the stats by statusText shows all the status for a specific job. As such it does    index=batch firm* | stats latest(timestamp) as Time by jobName, statusText | where statusText=Running     An example of some events for one specific job can be as follows. The below job example should not appear in my results as the latest status is 'SUCCESS'   FYI - The Splunk _time for the 3 events are exactly the same. The differentiation comes in the timestamp field. As such i cannot use latest(statusText) timestamp="2020-08-20 03:18:35.0", eventNum="575452832", jobId="887395", jobName="firm_fisp1_ov_D8117", boxJobName="firm_fisp1_postov_box_1", eventCode="101", eventText="CHANGE_STATUS", statusCode="4", statusText="SUCCESS", alarmCode="0", exitCode="0", machine="frmlxap1p1.prudential.com", runNumber="90859630", attemptNumber="1" timestamp="2020-08-20 03:18:28.0", eventNum="575452821", jobId="887395", jobName="firm_fisp1_ov_D8117", boxJobName="firm_fisp1_postov_box_1", eventCode="101", eventText="CHANGE_STATUS", statusCode="1", statusText="RUNNING", alarmCode="0", text="Executing at WA_AGENT", exitCode="0", machine="frmlxap1p1.prudential.com", runNumber="90859630", attemptNumber="1" timestamp="2020-08-20 03:18:28.0", eventNum="575452820", jobId="887395", jobName="firm_fisp1_ov_D8117", boxJobName="firm_fisp1_postov_box_1", eventCode="101", eventText="CHANGE_STATUS", statusCode="3", statusText="STARTING", alarmCode="0", exitCode="-21", machine="frmlxap1p1.prudential.com", runNumber="90859630", attemptNumber="1"     Any help will be appreciated!  ... View more

Hi, I have a search that returns hundreds of results. Each result contains a field called jobName and another field called server I need to build a table with 2 columns from a fixed set of JobNames. However, if one of the JobName in my defined list is not found in the search result, I need to return 'Not found' Table should look like: JobName server JobA Server1 JobB Server2 JobE Not found JobX Server6 Can anyone please help on how to generate the output above? Thanks ... View more