I'm working with a simplified example in which there are workers which can have multiple lifecycles in which they perform tasks. (This is similar to the example of users logging into different sessions and performing shell commands given in https://community.splunk.com/t5/Splunk-Search/Any-example-for-MAP-command/m-p/88473).
When a task is started, a taskID and lifecycleID is logged. However, I would also like to look up the corresponding workerID which would have been logged together with the lifecycleID in a previous log line when the lifecycle started.
Consider the following example data:
{
"level": "info",
"lifecycleID": "af331787-654f-441f-ac06-21b6b7e0c984",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.07991-07:00",
"workerID": "c51df20b-f157-4002-8292-4583ebd3ba9e"
}
{
"level": "info",
"lifecycleID": "af331787-654f-441f-ac06-21b6b7e0c984",
"msg": "Started task",
"taskID": "9de93d09-5e6e-4648-9488-dda0e3e58765",
"time": "2022-04-02T21:15:38.181107-07:00"
}
{
"level": "info",
"lifecycleID": "03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.282264-07:00",
"workerID": "c51df20b-f157-4002-8292-4583ebd3ba9e"
}
{
"level": "info",
"lifecycleID": "03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9",
"msg": "Started task",
"taskID": "243bf757-85c6-4c6e-9eec-6d74886ec407",
"time": "2022-04-02T21:15:38.383176-07:00"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.483304-07:00",
"workerID": "0b82966c-cc98-48f0-9a36-a699e2cee48c"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Started task",
"taskID": "864819ed-208d-4d3d-96b9-1af4c4c42b08",
"time": "2022-04-02T21:15:38.584478-07:00"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Finished task",
"taskID": "864819ed-208d-4d3d-96b9-1af4c4c42b08",
"time": "2022-04-02T21:15:38.684633-07:00"
}
I would like to generate a table which shows the workerID, lifecycleID, and taskID for each of the three tasks started. So far what I've come up with is
index="workers" msg="Started task"
| stats count by lifecycleID
| map search="search index=workers msg=\"Started lifecycle\" lifecycleID=$lifecycleID$"
| table workerID, lifecyleID, taskID
However, this doesn't appear to retain the lifecycleID and taskID (like it would if I were to omit the map and simply count by lifecycleID, taskID):
How can I make it such that I can display all three values in the table?
Update
I've attempted RichG's answer using a subsearch,
index=workers msg="Started lifecycle"
[ search index="workers" msg="Started task"
| stats count by lifecycleID
| fields lifecycleID
| format ]
| table workerID, lifecyleID, taskID
but it generates output that is identical to the one generated in my own attempt using a map, i.e. without the lifecycleID or taskID:
Try using a subsearch instead of map. In the subsearch below (the part inside square brackets), a list of unique lifecycleID values is produced and formatted into (lifecycleID="foo" OR lifecycleID="bar"). That string is substituted for the subsearch to produce a search for all "Started lifecycle" events with one of the specified lifecycleID's.
index=workers msg="Started lifecycle"
[ search index="workers" msg="Started task"
| stats count by lifecycleID
| fields lifecycleID
| format ]
| table workerID, lifecyleID, taskID
Another method for combining events is the stats command. See the run-anywhere example below.
| makeresults
| eval data="{\"level\": \"info\",\"lifecycleID\": \"af331787-654f-441f-ac06-21b6b7e0c984\",\"msg\": \"Started lifecycle\",\"time\": \"2022-04-02T21:15:38.07991-07:00\",\"workerID\": \"c51df20b-f157-4002-8292-4583ebd3ba9e\"}
{\"level\": \"info\",\"lifecycleID\": \"af331787-654f-441f-ac06-21b6b7e0c984\",\"msg\": \"Started task\",\"taskID\": \"9de93d09-5e6e-4648-9488-dda0e3e58765\",\"time\": \"2022-04-02T21:15:38.181107-07:00\"}
{\"level\": \"info\",\"lifecycleID\": \"03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9\",\"msg\": \"Started lifecycle\",\"time\": \"2022-04-02T21:15:38.282264-07:00\",\"workerID\": \"c51df20b-f157-4002-8292-4583ebd3ba9e\"}
{\"level\": \"info\",\"lifecycleID\": \"03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9\",\"msg\": \"Started task\",\"taskID\": \"243bf757-85c6-4c6e-9eec-6d74886ec407\",\"time\": \"2022-04-02T21:15:38.383176-07:00\"}
{\"level\": \"info\",\"lifecycleID\": \"9cab44b4-5600-47b3-9acd-47b2641cb0d5\",\"msg\": \"Started lifecycle\",\"time\": \"2022-04-02T21:15:38.483304-07:00\",\"workerID\": \"0b82966c-cc98-48f0-9a36-a699e2cee48c\"}
{\"level\": \"info\",\"lifecycleID\": \"9cab44b4-5600-47b3-9acd-47b2641cb0d5\",\"msg\": \"Started task\",\"taskID\": \"864819ed-208d-4d3d-96b9-1af4c4c42b08\",\"time\": \"2022-04-02T21:15:38.584478-07:00\"}
{\"level\": \"info\",\"lifecycleID\": \"9cab44b4-5600-47b3-9acd-47b2641cb0d5\",\"msg\": \"Finished task\",\"taskID\": \"864819ed-208d-4d3d-96b9-1af4c4c42b08\",\"time\": \"2022-04-02T21:15:38.684633-07:00\"}"
| eval data=split(data,"
")
| mvexpand data
| eval _raw=data
| extract
```Everything above is just to set up test data. Omit IRL```
```Combine events that share the same taskID```
| stats values(*) as * by lifecycleID
| table workerID, lifecycleID, taskID
I realized that this could be achieved by a join query:
index=workers msg="Started lifecycle"
| join lifecycleID
[ search index=workers msg="Started task"]
| table workerID, lifecycleID, taskID
The results are shown below.
Related
Given below is a snippet of splunk event. My requirement is to find all the occurrences of "isOutstanding": true. Here the point to note is that one event may/may not have multiple occurrences. Need to find the total count from multiple events over a period of time.
{
\"school\": {
\"schoolId\": \"1\",
\"schoolName\": \"SchoolX\",
\"schoolType\": \"private\",
\"students\": [
{
\"id\": \"1\",
\"isOutstanding\": true,
},
{
\"id\": \"2\",
\"isOutstanding\": false,
},
{
\"id\": \"3\",
\"isOutstanding\": false,
}
]
}
}
The below Splunk query index=myIndex "isOutstanding":true gives the count of events having "isOutstanding": true. But it doesn't consider the count of multiple occurrences in one event.
How can I get the count of all the occourences in an event? TIA
You can combine the rex feature to extract all instances of the pattern you're looking for, then use the mvcount to count them.
index=syslog sourcetype=testing isOutstanding
| rex field=school max_match=0 "(?<outs>isOutstanding\": true")
| eval total=mvcount(outs)
| table total
Finally got the query for my requirement
index=myindex sourcetype=mysourceType
| rex max_match=0 "(?<isOutstanding>isOutstanding\\\\\":true)"
| stats count(isOutstanding) as total
I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed.
Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events
index=test
| spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure"
It looks like Its searching within all the elements in the array.
How can I ensure It searches both the conditions on each element of the array and return the event which has the element satisfying both the conditions.
Events :
appDisplayName: App1
appId: aaaa-1111-111aeff-aad222221111
appliedConditionalAccessPolicies: [
{
displayName: policy1
enforcedGrantControls: [
Block
]
enforcedSessionControls: [
SignInFrequency
ContinuousAccessEvaluation
]
id: f111113-111-400c-a251-2123bbe4233e1
result: failure
}
{ [-]
displayName: policy2
enforcedGrantControls: [ [-]
Block
]
enforcedSessionControls: [ [-]
]
id: sdsds-8c92-45ef-sdsds-c0b2e006d39b
result: notApplied
}
]
appDisplayName: App1
appId: aaaa-1111-111aeff-aad222221111
appliedConditionalAccessPolicies: [
{
displayName: policy1
enforcedGrantControls: [
Block
]
enforcedSessionControls: [
SignInFrequency
ContinuousAccessEvaluation
]
id: f111113-111-400c-a251-2123bbe4233e1
result: notApplied
}
{ [-]
displayName: policy2
enforcedGrantControls: [ [-]
Block
]
enforcedSessionControls: [ [-]
]
id: sdsds-8c92-45ef-sdsds-c0b2e006d39b
result: failure
}
]
The problem is that appliedConditionalAccessPolicies{}.displayName and appliedConditionalAccessPolicies{}.result are multi-value fields so you need to do something that determines if the search matches the same index of both multi-value fields.
Here is a way using mvfind:
And mvfind gives you the multi-value field index so you can compare them, but from my testing mvfind hates field names like appliedConditionalAccessPolicies{}.displayName and appliedConditionalAccessPolicies{}.result so you need to rename them before you can use them with mvfind. This works for me:
| rename "appliedConditionalAccessPolicies{}.displayName" as displayName
| rename "appliedConditionalAccessPolicies{}.result" as result
| where mvfind(displayName,"policy1")=mvfind(result,"failure")
Here is a full example that you can play with:
| makeresults
| eval data="
{\"appDisplayName\":\"App1\",\"appId\":\"aaaa-1111-111aeff-aad222221111\",\"appliedConditionalAccessPolicies\":[{\"displayName\":\"policy1\",\"enforcedGrantControls\":[\"Block1\"],\"enforcedSessionControls\":[\"SignInFrequency\",\"ContinuousAccessEvaluation\"],\"id\":\"f111113-111-400c-a251-2123bbe4233e1\",\"result\":\"failure\"},{\"displayName\":\"policy2\",\"enforcedGrantControls\":[\"Block2\"],\"enforcedSessionControls\":[],\"id\":\"sdsds-8c92-45ef-sdsds-c0b2e006d39b\",\"result\":\"notApplied\"}]}
###
{\"appDisplayName\":\"App2\",\"appId\":\"aaaa-1111-111aeff-aad222221112\",\"appliedConditionalAccessPolicies\":[{\"displayName\":\"policy1\",\"enforcedGrantControls\":[\"Block1\"],\"enforcedSessionControls\":[\"SignInFrequency\",\"ContinuousAccessEvaluation\"],\"id\":\"f111113-111-400c-a251-2123bbe4233e1\",\"result\":\"notApplied\"},{\"displayName\":\"policy2\",\"enforcedGrantControls\":[\"Block2\"],\"enforcedSessionControls\":[],\"id\":\"sdsds-8c92-45ef-sdsds-c0b2e006d39b\",\"result\":\"failure\"}]}
"
| makemv data delim="###"
| mvexpand data
| spath input=data
| fields - data
| rename "appliedConditionalAccessPolicies{}.displayName" as displayName
| rename "appliedConditionalAccessPolicies{}.result" as result
| where mvfind(displayName,"policy1")=mvfind(result,"failure")
Here is a way using mvzip: (thanks to #warren)
You can join the multi-value fields together nad then just search for the string that contains both values. It looks like mvzip also hates field names like appliedConditionalAccessPolicies{}.displayName and appliedConditionalAccessPolicies{}.result so you need to rename them before you can use them with mvzip. This works for me:
| rename "appliedConditionalAccessPolicies{}.displayName" as displayName
| rename "appliedConditionalAccessPolicies{}.result" as result
| where mvzip(displayName,result)="policy1,failure"
Here is a full example that you can play with:
| makeresults
| eval data="
{\"appDisplayName\":\"App1\",\"appId\":\"aaaa-1111-111aeff-aad222221111\",\"appliedConditionalAccessPolicies\":[{\"displayName\":\"policy1\",\"enforcedGrantControls\":[\"Block1\"],\"enforcedSessionControls\":[\"SignInFrequency\",\"ContinuousAccessEvaluation\"],\"id\":\"f111113-111-400c-a251-2123bbe4233e1\",\"result\":\"failure\"},{\"displayName\":\"policy2\",\"enforcedGrantControls\":[\"Block2\"],\"enforcedSessionControls\":[],\"id\":\"sdsds-8c92-45ef-sdsds-c0b2e006d39b\",\"result\":\"notApplied\"}]}
###
{\"appDisplayName\":\"App2\",\"appId\":\"aaaa-1111-111aeff-aad222221112\",\"appliedConditionalAccessPolicies\":[{\"displayName\":\"policy1\",\"enforcedGrantControls\":[\"Block1\"],\"enforcedSessionControls\":[\"SignInFrequency\",\"ContinuousAccessEvaluation\"],\"id\":\"f111113-111-400c-a251-2123bbe4233e1\",\"result\":\"notApplied\"},{\"displayName\":\"policy2\",\"enforcedGrantControls\":[\"Block2\"],\"enforcedSessionControls\":[],\"id\":\"sdsds-8c92-45ef-sdsds-c0b2e006d39b\",\"result\":\"failure\"}]}
"
| makemv data delim="###"
| mvexpand data
| spath input=data
| fields - data
| rename "appliedConditionalAccessPolicies{}.displayName" as displayName
| rename "appliedConditionalAccessPolicies{}.result" as result
| where mvzip(displayName,result)="policy1,failure"
In Splunk, I'm trying to extract the key value pairs inside that "tags" element of the JSON structure so each one of the become a separate column so I can search through them.
for example :
| spath data | rename data.tags.EmailAddress AS Email
This does not help though and Email field comes as empty.I'm trying to do this for all the tags. Any thoughts/pointers?
{
"timestamp": "2021-10-26T18:23:05.180707Z",
"data": {
"tags": [
{
"key": "Email",
"value": "john.doe#example.com"
},
{
"key": "ProjectCode",
"value": "ABCD"
},
{
"key": "Owner",
"value": "John Doe"
}
]
},
"field1": "random1",
"field2": "random2"
}
I think does what you want:
| spath data.tags{}
| mvexpand data.tags{}
| spath input=data.tags{}
| table key value
| transpose header_field=key
| fields - column
How it works:
| spath data.tags{} takes the json and creates a multi value field that contains each item in the tags array
| mvexpand data.tags{} splits the multi value field into individual events - each one contains one of the items in the tags array
| spath input=data.tags{} takes the json in each event and makes a field for each KVP in that item (key and value in this case)
| table key value limits further commands to these two fields
| transpose header_field=key makes a field for each value of the key field (including one for the field named column)`
| fields - column removes the column field from the output
Here is a fully runnable example:
| makeresults
| eval _raw="
{
\"timestamp\": \"2021-10-26T18:23:05.180707Z\",
\"data\": {
\"tags\": [
{\"key\": \"Email\", \"value\": \"john.doe#example.com\"},
{\"key\": \"ProjectCode\", \"value\": \"ABCD\"},
{\"key\": \"Owner\", \"value\": \"John Doe\"}
]
},
\"field1\": \"random1\",
\"field2\": \"random2\"
}
"
| spath data.tags{}
| mvexpand data.tags{}
| spath input=data.tags{}
| table key value
| transpose header_field=key
It creates this output:
+----------------------+-------------+----------+
| Email | ProjectCode | Owner |
+----------------------+-------------+----------+
| john.doe#example.com | ABCD | John Doe |
+----------------------+-------------+----------+
I receive JSON from API in the following format:
[
{
"scId": "000DD2",
"sensorId": 2,
"metrics": [
{
"s": 5414,
"dateTime": "2018-02-02T13:03:30+01:00"
},
{
"s": 5526,
"dateTime": "2018-02-02T13:04:56+01:00"
},
{
"s": 5631,
"dateTime": "2018-02-02T13:06:22+01:00"
}
}, .... ]
Currently trying to display these metrics on the linear chart with dateTime for the X-axis and "s" for Y.
I use the following search query:
index="main" source="rest://test3" | spath input=metrics{}.s| mvexpand metrics{}.s
| mvexpand metrics{}.dateTime | rename metrics{}.s as s
| rename metrics{}.dateTime as dateTime| table s,dateTime
And I receive the data in the following format which is not applicable for linear chart. The point is - how to correctly parse the JSON to apply date-time from dateTime field in JSON to _time in Splunk.
Query results
#Max Zhylochkin,
Can you please try following search?
index="main" source="rest://test3"
| spath input=metrics{}.s
| mvexpand metrics{}.s
| mvexpand metrics{}.dateTime
| rename metrics{}.s as s
| rename metrics{}.dateTime as dateTime
| table s,dateTime
| eval _time = strptime(dateTime,"%Y-%m-%dT%H:%M:%S.%3N")
Thanks
I am trying to setup a working example of presto and redis on my local machine according to the (limited) presto-redis documentation.
Summary of Problem:
When using redis.key-prefix-schema-table=true and prefixing a redis key with dev:simple_table: (as instructed by the presto redis connector page), all key columns are null, and the internal column _key_corrupt is true. All value columns are parsed correctly.
When using redis.key-prefix-schema-table=falseand using a pure JSON key and value strings, both work as expected. (note: I have tried and failed to use the csv dataFormat as well)
What works:
I have an example working with redis server and presto server running on my local machine.
presto's etc/catalog/redis.properties file:
connector.name=redis
redis.table-names=simple_table
redis.default-schema=dev
redis.nodes=127.0.0.1:6379
redis.table-description-dir=/Users/acarson/var/redis/tables
redis.key-delimiter=:
redis.key-prefix-schema-table=false
redis.hide-internal-columns=false
I have a table definition file at /Users/acarson/var/redis/tables/simple_table.json
{
"tableName": "simple_table",
"schemaName": "dev",
"key": {
"dataFormat": "json",
"fields": [
{
"name": "id",
"mapping": "id",
"type": "BIGINT"
},
{
"name": "word",
"mapping": "word",
"type": "VARCHAR"
}
]
},
"value": {
"dataFormat": "json",
"fields": [
{
"name": "name",
"mapping": "name",
"type": "VARCHAR"
},
{
"name": "number",
"mapping": "number",
"type": "BIGINT"
},
{
"name": "boolean",
"mapping": "boolean",
"type": "BOOLEAN"
}
]
}
}
using redis-cli, I insert a value with this command:
SET '{"id": 42, "word": "foo"}' '{"name": "bar", "number": 3, "boolean": "false"}'
And I can then query the data with presto cli and the resulting columns show up as expected:
presto:dev> SELECT * FROM simple_table;
id | word | name | number | boolean | _key | _value | _key_length | _value_length | _key_corrupt | _value_corrupt
----+------+------+--------+---------+---------------------------+--------------------------------------------------+-------------+---------------+--------------+----------------
42 | foo | bar | 3 | false | {"id": 42, "word": "foo"} | {"name": "bar", "number": 3, "boolean": "false"} | 25 | 48 | false | false
What fails:
I switch the redis.properties value redis.key-prefix-schema-table to true, restart presto, delete all keys in redis-cli with FLUSHALL and then insert a new row using the schema table prefix:
SET 'dev:simple_table:{"id": 42, "word": "foo"}' '{"name": "bar", "number": 3, "boolean": "false"}'
Querying from presto cli shows _key_corrupt=true and the key values are null, even though the values still work.
presto:dev> SELECT * FROM simple_table;
id | word | name | number | boolean | _key | _value | _key_length | _value_length | _key_corrupt | _value_corrupt
------+------+--------+--------+---------+-----------------------------------------------+-----------------------------------------------------+-------------+---------------+--------------+----------------
NULL | NULL | bar | 3 | false | dev:simple_table:{"id": 42, "word": "foo"} | {"name": "bar", "number": 3, "boolean": "false"} | 42 | 48 | true | false
I've increased the log levels of redis and presto for hints, but nothing that is showing me any errors or reason for why the key is corrupt. I have a feeling my syntax for redis keys might be incorrect, but I am following the exact method described both in the presto redis documentation and even when reading through presto-redis source which specifies keys use "schema:table:*" format with this flag.
Here's the presto logs at debug level when the query is run:
2016-10-20T17:09:55.048-0700 INFO main com.facebook.presto.server.PrestoServer ======== SERVER STARTED ========
2016-10-20T17:10:24.785-0700 DEBUG query-execution-0 com.facebook.presto.execution.QueryStateMachine Query 20161021_001024_00000_qx72p is PLANNING
2016-10-20T17:10:24.802-0700 DEBUG Query-20161021_001024_00000_qx72p-104 com.facebook.presto.redis.RedisTableDescriptionSupplier Considering files: [/Users/acarson/var/redis/tables/simple_table.json]
2016-10-20T17:10:24.849-0700 DEBUG Query-20161021_001024_00000_qx72p-104 com.facebook.presto.redis.RedisTableDescriptionSupplier Redis table dev.simple_table: RedisTableDescription{tableName=simple_table, schemaName=dev, key=RedisTableFieldGroup{dataFormat=json, name=null, fields=[RedisTableFieldDescription{name=id, type=bigint, mapping=id, dataFormat=null, formatHint=null, hidden=false}, RedisTableFieldDescription{name=word, type=varchar, mapping=word, dataFormat=null, formatHint=null, hidden=false}]}, value=RedisTableFieldGroup{dataFormat=json, name=null, fields=[RedisTableFieldDescription{name=name, type=varchar, mapping=name, dataFormat=null, formatHint=null, hidden=false}, RedisTableFieldDescription{name=number, type=bigint, mapping=number, dataFormat=null, formatHint=null, hidden=false}, RedisTableFieldDescription{name=boolean, type=boolean, mapping=boolean, dataFormat=null, formatHint=null, hidden=false}]}}
2016-10-20T17:10:24.850-0700 DEBUG Query-20161021_001024_00000_qx72p-104 com.facebook.presto.redis.RedisTableDescriptionSupplier Loaded table definitions: [dev.simple_table]
2016-10-20T17:10:24.850-0700 DEBUG Query-20161021_001024_00000_qx72p-104 com.facebook.presto.redis.RedisTableDescriptionSupplier Found Table definition for dev.simple_table: RedisTableDescription{tableName=simple_table, schemaName=dev, key=RedisTableFieldGroup{dataFormat=json, name=null, fields=[RedisTableFieldDescription{name=id, type=bigint, mapping=id, dataFormat=null, formatHint=null, hidden=false}, RedisTableFieldDescription{name=word, type=varchar, mapping=word, dataFormat=null, formatHint=null, hidden=false}]}, value=RedisTableFieldGroup{dataFormat=json, name=null, fields=[RedisTableFieldDescription{name=name, type=varchar, mapping=name, dataFormat=null, formatHint=null, hidden=false}, RedisTableFieldDescription{name=number, type=bigint, mapping=number, dataFormat=null, formatHint=null, hidden=false}, RedisTableFieldDescription{name=boolean, type=boolean, mapping=boolean, dataFormat=null, formatHint=null, hidden=false}]}}
2016-10-20T17:10:25.020-0700 DEBUG query-execution-0 com.facebook.presto.execution.QueryStateMachine Query 20161021_001024_00000_qx72p is STARTING
2016-10-20T17:10:25.027-0700 DEBUG query-execution-1 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.1 is SCHEDULING
2016-10-20T17:10:25.064-0700 DEBUG query-execution-1 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.1 is SCHEDULED
2016-10-20T17:10:25.065-0700 DEBUG query-execution-2 com.facebook.presto.execution.QueryStateMachine Query 20161021_001024_00000_qx72p is RUNNING
2016-10-20T17:10:25.119-0700 DEBUG query-execution-2 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.1 is RUNNING
2016-10-20T17:10:25.165-0700 DEBUG query-execution-2 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.0 is SCHEDULING
2016-10-20T17:10:25.174-0700 DEBUG query-execution-2 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.0 is SCHEDULED
2016-10-20T17:10:25.179-0700 DEBUG query-execution-2 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.0 is RUNNING
2016-10-20T17:10:25.278-0700 INFO 20161021_001024_00000_qx72p.1.0-0-58 com.facebook.presto.redis.RedisJedisManager Creating new JedisPool for 127.0.0.1:6379
2016-10-20T17:10:25.313-0700 DEBUG 20161021_001024_00000_qx72p.1.0-0-58 com.facebook.presto.redis.RedisRecordCursor Scanning new Redis keys from cursor 0 . 0 values read so far
2016-10-20T17:10:25.326-0700 DEBUG 20161021_001024_00000_qx72p.1.0-0-58 com.facebook.presto.redis.RedisRecordCursor Read a total of 1 values with 48 bytes.
2016-10-20T17:10:25.330-0700 DEBUG 20161021_001024_00000_qx72p.1.0-0-58 com.facebook.presto.execution.TaskExecutor Split 20161021_001024_00000_qx72p.1.0-0 RedisSplit{connectorId=redis, schemaName=dev, tableName=simple_table, keyDataFormat=json, valueDataFormat=json, keyName=null, start=0, end=-1, nodes=[127.0.0.1:6379]} (start = 1477008625258, wall = 72 ms, cpu = 56 ms, calls = 1) is finished
2016-10-20T17:10:25.350-0700 DEBUG http-worker-77 com.facebook.presto.execution.SqlTask Aborting task 20161021_001024_00000_qx72p.1.0 output 0
2016-10-20T17:10:25.352-0700 DEBUG task-notification-1 com.facebook.presto.execution.TaskStateMachine Task 20161021_001024_00000_qx72p.1.0 is FINISHED
2016-10-20T17:10:25.357-0700 DEBUG query-execution-0 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.1 is FINISHED
2016-10-20T17:10:25.367-0700 DEBUG 20161021_001024_00000_qx72p.0.0-0-59 com.facebook.presto.execution.TaskExecutor Split 20161021_001024_00000_qx72p.0.0-0 (start = 1477008625257, wall = 110 ms, cpu = 9 ms, calls = 4) is finished
2016-10-20T17:10:25.369-0700 DEBUG http-worker-88 com.facebook.presto.execution.SqlTask Aborting task 20161021_001024_00000_qx72p.0.0 output 0
2016-10-20T17:10:25.372-0700 DEBUG task-notification-0 com.facebook.presto.execution.TaskStateMachine Task 20161021_001024_00000_qx72p.0.0 is FINISHED
2016-10-20T17:10:25.379-0700 DEBUG query-execution-0 com.facebook.presto.execution.StageStateMachine Stage 20161021_001024_00000_qx72p.0 is FINISHED
2016-10-20T17:10:25.380-0700 DEBUG query-execution-2 com.facebook.presto.execution.QueryStateMachine Query 20161021_001024_00000_qx72p is FINISHING
2016-10-20T17:10:25.383-0700 DEBUG query-execution-2 com.facebook.presto.execution.QueryStateMachine Query 20161021_001024_00000_qx72p is FINISHED
2016-10-20T17:10:25.420-0700 INFO query-execution-2 com.facebook.presto.event.query.QueryMonitor TIMELINE: Query 20161021_001024_00000_qx72p :: Transaction:[c54dc7fe-8159-434d-b4cc-cb13ad41a5d7] :: elapsed 610ms :: planning 247ms :: scheduling 248ms :: running 0ms :: finishing 363ms :: begin 2016-10-20T17:10:24.773-07:00 :: end 2016-10-20T17:10:25.383-07:00
Maybe this line needs escaping the : Did you try removing it, as : is the default anyways.
redis.key-delimiter=:
Also your prefix has a tailing: which should be left out:
SET 'dev:simple_table{"id": 42, "word": "foo"}' '{"name": "bar", "number": 3, "boolean": "false"}'
instead of
SET 'dev:simple_table:{"id": 42, "word": "foo"}' '{"name": "bar", "number": 3, "boolean": "false"}'