![]() ![]() | eval EndTime=if(UPROC="TTXPOSR1",EndTime,null) ![]() | append [search sourcetype=PROFILE_DAYEND_STATS Client=PP3100 PZEXINI991 OR TTXPOSR1 | eval EndTime=if(UPROC="TTXPOSR4",EndTime,null) | eval StartTime=if(UPROC="PZEXINI994",StartTime,null) | append [search sourcetype=PROFILE_DAYEND_STATS Client=PP3100 PZEXINI994 OR TTXPOSR4 | eval EndTime=if(UPROC="TTXPOSR2",EndTime,null) | eval StartTime=if(UPROC="PZEXINI992",StartTime,null) Sourcetype=PROFILE_DAYEND_STATS Client=PP3100 PZEXINI992 OR TTXPOSR2 Apologies since I know this is very complicated, but my database developers aren’t giving much to work with here. Lost yet? My problem is I can create a search that shows the start-time and end-times of the ‘subjobs’, but the ‘transaction’ command I am using will not allow for the XFED_ORG_1 job to render/display in the report. This specific job uses seconds (|1487818842000| and |1487818854000| from the example below) inline to define it’s start-time and end-times. I can get the total time between jobs with the search below (as ugly as it may be), however I still need to incorporate another job into this search that uses a different format, XFED_ORG_1. An example of this below would be start-time job PZEXINI991, with an end-time job of TTXPOSR1. ‘sub-jobs’ that define start and end time for each. I’m trying to find individual run times for specific jobs in our database. And also the groups which are closing tickets belonging to our groups are not defined, so it could be G6-GXX. I need somehow to filter the tickets before any calculation as there are lot of tickets and many groups. How should i modify the search to meet my expectations? Index=tickets group="G1" OR group="G2" OR group="G3" OR group="G4" OR group="G5" | dedup ticketNumber | search status="Assigned" OR status="Pending" OR status="In Progress"ĭoes not see the closures of ticket done by other groups and i am getting: Now i want to know which tickets are open (status assigned, pending or in progress) for my groups (G1-G5) I have a data from ticketing system where events looks (more or less for the simplicity) like this:Īnd for every change in the ticket a new splunk event is generated, eg: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |