topic How to use last() and first() commands in splunk? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-use-last-and-first-commands-in-splunk/m-p/413822#M119253 <P>Hi,</P> <P>index="os" sourcetype="Service" CaseNumber=* status=* assignment_group=* |dedup _time,CaseNumber,assignment_group |streamstats current=f last(assignment_group) as lg, last(active) as Active,first(assigned_to) as fs,last(assigned_to) as ls by CaseNumber|lookup Team.csv test as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment_group!=lg AND assignment_group="Support L1",1,NULL) |eval is_resolved=if(assignment_group="Support L1" AND status="Complete" AND (isnull(Active) OR Active="true") AND fs=ls,1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName</P> <P>The above query display the person wise resolved and escalated count.The persons names we are reading from Team.csv file.<BR /> 1)Now i want to display count of only one person resolved entire case(from first to last means first(assigned_to)=last(assigned_to).<BR /> 2)Now i want to display persons who is involved in that case while resolving partcular case.<BR /> EX:Case No :1111,assigned_to: ramesh,raju,ramu.<BR /> So three members worked for this case.so this case should comes under all three.<BR /> 3)Two steps same for Escalated cases as well.</P> <P>How to do this?</P> Tue, 29 Sep 2020 23:29:02 GMT ramesh12345 2020-09-29T23:29:02Z How to use last() and first() commands in splunk? https://community.splunk.com/t5/Splunk-Search/How-to-use-last-and-first-commands-in-splunk/m-p/413822#M119253 <P>Hi,</P> <P>index="os" sourcetype="Service" CaseNumber=* status=* assignment_group=* |dedup _time,CaseNumber,assignment_group |streamstats current=f last(assignment_group) as lg, last(active) as Active,first(assigned_to) as fs,last(assigned_to) as ls by CaseNumber|lookup Team.csv test as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment_group!=lg AND assignment_group="Support L1",1,NULL) |eval is_resolved=if(assignment_group="Support L1" AND status="Complete" AND (isnull(Active) OR Active="true") AND fs=ls,1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName</P> <P>The above query display the person wise resolved and escalated count.The persons names we are reading from Team.csv file.<BR /> 1)Now i want to display count of only one person resolved entire case(from first to last means first(assigned_to)=last(assigned_to).<BR /> 2)Now i want to display persons who is involved in that case while resolving partcular case.<BR /> EX:Case No :1111,assigned_to: ramesh,raju,ramu.<BR /> So three members worked for this case.so this case should comes under all three.<BR /> 3)Two steps same for Escalated cases as well.</P> <P>How to do this?</P> Tue, 29 Sep 2020 23:29:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-last-and-first-commands-in-splunk/m-p/413822#M119253 ramesh12345 2020-09-29T23:29:02Z Re: How to use last() and first() commands in splunk? https://community.splunk.com/t5/Splunk-Search/How-to-use-last-and-first-commands-in-splunk/m-p/413823#M119254 <P>You need to add <CODE>values(assigned_to) as all</CODE> in there, too.</P> Wed, 06 Mar 2019 06:51:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-last-and-first-commands-in-splunk/m-p/413823#M119254 woodcock 2019-03-06T06:51:58Z