Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Splunk with BP log

HazemFarajallah
Level 4

‎13-08-19 01:09 PM

Hello everyone,

I'm trying to use Splunk to monitor all BP process, can see every process and stage and so on, 

but can't filter where is the process terminated or not. (i can see when is terminate ) ,

can anyone do small tips on how to show completed or terminated process on the Splunk? 



------------------------------
Hazem Farajallah
RPA-developer
e-on
Europe/Stockholm
------------------------------
0 Likes
4 REPLIES 4

GopalBhaire
Level 10

‎13-08-19 03:11 PM

Convert StartDate to time then sort SessionNumber on converted time & finally use case where StageType=End is Completed &  Result containing ERROR is Terminated.and StageType=Undefined is Stopped.

------------------------------
Gopal Bhaire
Analyst
Accenture
------------------------------

HazemFarajallah
Level 4
In response to GopalBhaire

‎14-08-19 12:00 PM

Thanks for sharing, i kind of new to splunk
i have this data from BP log 

currprocessid: 1c808a33-3c5a-4c88-a189-1c2b07968d01 
   currprocessname: Logout 
   currprocesstype: 0 
   eventId: endProcess 
   mainprocessid: 1c808a33-3c5a-4c88-a189-1c2b07968d01 
   mainprocessname: Logout 
   pageid: 00000000-0000-0000-0000-000000000000 
   pagename: Main Page 
   resourceName: HP20062703 
   sessionNumber: 2677 
   sessionid: 96f9421d-1b82-4e89-a5d3-7824d50708b8 
   stageid: 1e575b0c-7b9f-4c63-a376-8582dd8f27f2 
   stagename: End 
   when: 2019-08-14T10:54:41.6449175Z 

what I'm trying to get in a table is when started and finished, resourse name, process name, and status.

source="BP" | spath eventId  | search eventId=startProcess| spath when | search when="*" | top  limit=20 

i can find when is every process started  but cant compind with Compeleted or terminated .   

if you have tips how to query them it will be great. 

Thanks in advance 



------------------------------
Hazem Farajallah
RPA-developer
e-on
Europe/Stockholm
------------------------------
0 Likes

GopalBhaire
Level 10
In response to HazemFarajallah

‎14-08-19 05:33 PM

You're using v6.4, much less info is sent than by Data Gateways, also I don't have Splunk installed right now.

But it has to be something like (the query below might not work, but let me know the result) 
source="BP" | eval t = when | eval time=strptime(t,"%Y-%m-%dT%H:%M:%S.%Q%Z")| dedup 1 sessioNumber sortby -time | eval Status=case(eventId="endProcess"​, "Completed")| table mainprocessname, eventId , Status

You can terminate a process and examine the log than add it to case above (would be helpful if you paste that event here). Basically it's examining the last event of a session.



------------------------------
Gopal Bhaire
Analyst
Accenture
------------------------------

HazemFarajallah
Level 4
In response to GopalBhaire

‎15-08-19 09:29 AM

Hello

thanks, it works great,  what do you think is best to find the running ones (compare time on the same sessionid?) 
 



------------------------------
Hazem Farajallah
RPA-developer
e-on
Europe/Stockholm
------------------------------
0 Likes