使用开始和结束日志创建 Splunk Chart/Table 以检查 Success/Failures

Create Splunk Chart/Table with start and end logs to check Success/Failures

我在 splunk 中有日志捕获与哪个文件是执行的一部分相关的信息(不同的执行捕获具有不同文件名的相同日志)如下

Processing file : test_1.txt
Processing file : test_2.txt
Processing file : test_3.txt

捕获与执行是否成功相关的信息的另一个日志

Processed file successfully : test_1.txt

我想制作一个 splunk table 或图表如下。

Date File Name Success Failure
2021-01-01 test_1.txt Yes No
2021-01-02 test_2.txt No Yes
2021-01-03 test_3.txt No Yes

稍后,当重新处理失败的 tasks/files 时,如果它们成功并且我们有这些文件的成功日志,则上面的 table 应该更新为新日期(参见 text_3.txt 文件日期和 Success/Failure 在下面更新 table)

Date File Name Success Failure
2021-01-01 test_1.txt Yes No
2021-01-02 test_2.txt No Yes
2021-01-04 test_3.txt Yes No

这在 Splunk 中可行吗?

是的,这是可能的。看看这是否有帮助。解释嵌入在代码中。我假设当前没有提取任何字段。

| makeresults 
| eval data="Processing file : test_1.txt;Processing file : test_2.txt;Processing file : test_3.txt;Processed file successfully : test_1.txt"
| eval data=split(data,";")
| mvexpand data
| eval _raw=data
```Above just sets up test data```
```Extract the file name```
| rex ": (?<filename>\S+)"
```Set Success to "Yes" if the event is a "Processed file" event.  Set Failure to the inverse.```
| eval Success=if(searchmatch("Processed file"),"Yes","No")
| eval Failure=if(Success=="Yes","No","Yes")
```Round off times to the start of the day```
| bin span=1d _time
```Group events by time and file name```
| stats last(Success) as Success, last(Failure) as Failure by _time filename
| rename filename as "File Name", _time as Date
| table Date "File Name" Success Failure
```Display the Date field in the specified format```
| fieldformat Date=strftime(Date, "%Y-%m-%d")