topic Re: Latest event filter on status in Splunk Search

Latest event filter on status- How to get the failed tasks?

splunkuser320 — Tue, 30 May 2023 03:45:36 GMT

I have a query that is giving the latest event of the task but I want to filter the query for a status

| stats latest(status) as Status latest(time) as Time by TASK_NAME

Results:

TASK_NAME Status Time

TASK 1 Passed 2023-05-19T01:32:28

TASK 2 Failed 2023-05-19T01:35:28

TASK 3 Passed 2023-05-19T01:15:28

TASK 4 Passed 2023-05-19T05:32:28

I just wants all the failed tasks

gcusello — Mon, 29 May 2023 05:20:12 GMT

did you tried to filer events in the main search?

<base query> | search status="failed" | stats latest(status) as Status latest(time) as Time by TASK_NAME

if there's the possibility that a task can have more than a status in the period, you can put the filter at the end of the search

<base query> | stats latest(status) as Status latest(time) as Time by TASK_NAME | search status="failed"

Ciao.

Giuseppe

splunkuser320 — Mon, 29 May 2023 19:23:08 GMT

I tried this but the query is giving all the events. I want to get only the latest event.

yeahnah — Tue, 30 May 2023 00:05:27 GMT

Just remove the group by clause then...

...<your query>... | search Status="failed" | stats latest(*) AS *

By default, Splunk lists events with the latest first so you could even do this

...your base query... Status="failed" | head 1