Solved: Search help - reporting backup status

Jaci · ‎06-07-2010

We have many hosts running backups every night and report back if they are successful or not. I would like to simplify the report the search produces so that it easier to read. What should I change in my search to get my preferred output?

Thank you!

Splunk events of both types of events:

Jun 2 21:04:55 xx.xx.13.123 Jun 2 21:04:52 xxx-app-03 ntbackup[info] 8019 End Operation: The operation was successfully completed. Consult the backup report for more details.

Jun 2 21:04:52 xx.xx.13.172 Jun 2 21:04:48 xxx-2 ntbackup[error] 8019 Warnings or errors were encountered.

Current Search we are using:

"EventCode=8019" OR " 8019 " starthoursago="24" | fields + host | eval status = if(_raw LIKE successfully, "OK", "Backup Failed")

Current Output:

_time host status _raw 1275451893 xx.xx.13.20 Backup Failed

Jun 1 23:11:33 xx.xx.13.20 Jun 1 23:11:31 host-PROC ntbackup[info] 8019 End Operation: The operation was successfully completed. Consult the backup report for more details.

Preferred output:

Date Time Host status

6/1/2010 23:11 host-PROC OK

sideview · ‎06-17-2010

Some recommendations below, but sticking with the way you're doing it for now, i think this will give you what you're looking for:

"EventCode=8019" OR " 8019 " starthoursago="24" | eval status = if(_raw LIKE successfully, "OK", "Backup Failed") | stats first(_time) as time first(status) as status by host | fields time host status

recommendations:

I recommend creating a field extraction to extract the eventCode properly. This will allow you to operate on it more easily. ie eventCode=8019 instead of the slower and more cumbersome "EventCode=8019" OR " 8019 ". It'll also allow you to do more interesting reporting on eventCode values.

I also recommend not using the old 3.X time term syntax of 'starthoursago=24' in the search language. In 4.0 and 4.1 this corresponds to setting the earliest argument to "-24h" or "-24h@h", depending.
If you use the old legacy arguments like this, the UI will nag you with blue messages everywhere.

and lastly, "fields + host" and "fields host" are synonymous in 4.1. There used to be a difference but its gone now.

View solution in original post

sideview · ‎06-17-2010

Some recommendations below, but sticking with the way you're doing it for now, i think this will give you what you're looking for:

"EventCode=8019" OR " 8019 " starthoursago="24" | eval status = if(_raw LIKE successfully, "OK", "Backup Failed") | stats first(_time) as time first(status) as status by host | fields time host status

recommendations:

I recommend creating a field extraction to extract the eventCode properly. This will allow you to operate on it more easily. ie eventCode=8019 instead of the slower and more cumbersome "EventCode=8019" OR " 8019 ". It'll also allow you to do more interesting reporting on eventCode values.

I also recommend not using the old 3.X time term syntax of 'starthoursago=24' in the search language. In 4.0 and 4.1 this corresponds to setting the earliest argument to "-24h" or "-24h@h", depending.
If you use the old legacy arguments like this, the UI will nag you with blue messages everywhere.

and lastly, "fields + host" and "fields host" are synonymous in 4.1. There used to be a difference but its gone now.

Jaci · ‎06-17-2010

Thank you for your help Nick!!

Search help - reporting backup status

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?