I have logs in splunk that capture information related to which file was part of the execution (Different execution captures the same log with different file name) as below
Processing file : test_1.txt
Processing file : test_2.txt
Processing file : test_3.txt
Another log that captures info related to if the execution succeeded
Processed file successfully : test_1.txt
I want to make a splunk table or chart as below.
| Date | File Name | Success | Failure |
|---|---|---|---|
| 2021-01-01 | test_1.txt | Yes | No |
| 2021-01-02 | test_2.txt | No | Yes |
| 2021-01-03 | test_3.txt | No | Yes |
Later, when re-processing the failed tasks/files, if they are successful and we have a success log for those files, the above table should be updated with a new date (See text_3.txt file date and Success/Failure updated in below table)
| Date | File Name | Success | Failure |
|---|---|---|---|
| 2021-01-01 | test_1.txt | Yes | No |
| 2021-01-02 | test_2.txt | No | Yes |
| 2021-01-04 | test_3.txt | Yes | No |
Is this possible in Splunk?
Yes, it is possible. See if this helps. Explanation is embedded in the code. I'm assuming no fields are extracted currently.
| makeresults
| eval data="Processing file : test_1.txt;Processing file : test_2.txt;Processing file : test_3.txt;Processed file successfully : test_1.txt"
| eval data=split(data,";")
| mvexpand data
| eval _raw=data
```Above just sets up test data```
```Extract the file name```
| rex ": (?<filename>\S+)"
```Set Success to "Yes" if the event is a "Processed file" event. Set Failure to the inverse.```
| eval Success=if(searchmatch("Processed file"),"Yes","No")
| eval Failure=if(Success=="Yes","No","Yes")
```Round off times to the start of the day```
| bin span=1d _time
```Group events by time and file name```
| stats last(Success) as Success, last(Failure) as Failure by _time filename
| rename filename as "File Name", _time as Date
| table Date "File Name" Success Failure
```Display the Date field in the specified format```
| fieldformat Date=strftime(Date, "%Y-%m-%d")