Solved: How to edit my search to get unique values based o...

athorat · ‎01-07-2016

Hi

I am displaying a table which shows:

 table JobName, jobid, start, end ,diff

using the following search. How do I get unique values based on Job name or Job Id?
stats values(JobName) does not yield results.

index=aap_prod sourcetype="HDP:PROD:OOZIE"  (":start:] with user-retry state" OR "@end***]Action updated in DB!")  | rex "TOKEN\[\] APP\[(?<JobName>[^\]]*)"  | rex "ACTION\[[^\@]*(?<Action>[^\d\]]*)" | rex "JOB\[?(?<jobid>[\d-]+)-" | streamstats current=f window=2 range(_time) as diff latest(_time) as end earliest(_time) as start| table JobName, jobid, start, end ,diff| eval start=strftime(start, "%c")|eval end=strftime(end, "%c")|eval diff=tostring(diff, "duration")| search diff!=0

Thanks for looking into this.

sundareshr · ‎01-07-2016

Try dedup JobID

View solution in original post

sundareshr · ‎01-07-2016

Try dedup JobID

athorat · ‎01-08-2016

@sundareshr
Thanks for the ans. i have posted another thread based on the same query. When I try to display a chart based on avg of JobRunTime for a specific jobname , the values shows way to high which does not match with the ones which we get from the above table.

is there a way I can display the correct values of JobRunTime for a specific job in a bar chart or a line for last 7 days or 30 days.

How to edit my search to get unique values based on JobName or jobid?

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

How to edit my search to get unique values based on JobName or jobid?

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor