Solved: How to edit my search to get unique values based o...

athorat · ‎01-07-2016

Hi

I am displaying a table which shows:

 table JobName, jobid, start, end ,diff

using the following search. How do I get unique values based on Job name or Job Id?
stats values(JobName) does not yield results.

index=aap_prod sourcetype="HDP:PROD:OOZIE"  (":start:] with user-retry state" OR "@end***]Action updated in DB!")  | rex "TOKEN\[\] APP\[(?<JobName>[^\]]*)"  | rex "ACTION\[[^\@]*(?<Action>[^\d\]]*)" | rex "JOB\[?(?<jobid>[\d-]+)-" | streamstats current=f window=2 range(_time) as diff latest(_time) as end earliest(_time) as start| table JobName, jobid, start, end ,diff| eval start=strftime(start, "%c")|eval end=strftime(end, "%c")|eval diff=tostring(diff, "duration")| search diff!=0

Thanks for looking into this.

sundareshr · ‎01-07-2016

Try dedup JobID

View solution in original post

sundareshr · ‎01-07-2016

Try dedup JobID

athorat · ‎01-08-2016

@sundareshr
Thanks for the ans. i have posted another thread based on the same query. When I try to display a chart based on avg of JobRunTime for a specific jobname , the values shows way to high which does not match with the ones which we get from the above table.

is there a way I can display the correct values of JobRunTime for a specific job in a bar chart or a line for last 7 days or 30 days.

How to edit my search to get unique values based on JobName or jobid?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?