https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687070#M234337 <P>This is because the transaction ids have events with both sorts of status. If you just want the latest, you could try something like this</P><LI-CODE lang="markup">|stats latest(Status) as Status by transactionId</LI-CODE> Thu, 09 May 2024 16:59:24 GMT ITWhisperer 2024-05-09T16:59:24Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687067#M234335 <P>Hi All,</P> <P>This the query which i try to get status.But in the table its shows both error and success.PFA screenshot</P> <LI-CODE lang="markup">| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId</LI-CODE> Thu, 09 May 2024 17:08:33 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687067#M234335 karthi2809 2024-05-09T17:08:33Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687070#M234337 <P>This is because the transaction ids have events with both sorts of status. If you just want the latest, you could try something like this</P><LI-CODE lang="markup">|stats latest(Status) as Status by transactionId</LI-CODE> Thu, 09 May 2024 16:59:24 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687070#M234337 ITWhisperer 2024-05-09T16:59:24Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687071#M234338 <P>If i use some of the transactionID is error but some of its showing as Success.If the priority=error and exception="error" but the status is SUCCESS.I dont know y.</P> Thu, 09 May 2024 17:12:13 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687071#M234338 karthi2809 2024-05-09T17:12:13Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687074#M234339 <P>Please provide some anonymised representative events which demonstrate the issue you are facing, what results you are getting, and your expected results.</P> Thu, 09 May 2024 17:17:13 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687074#M234339 ITWhisperer 2024-05-09T17:17:13Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687078#M234340 <P>Based on priority field and tracepoint field i am getting the status field.If priority is error and tracepoint as exception then i set status as per the keyword.But in some case its showing both ERROR and SUCCESS.</P><TABLE border="1" width="99.83660130718954%"><TBODY><TR><TD width="82.6797385620915%">Message</TD><TD width="5.065359477124183%">priority</TD><TD width="12.091503267973856%">tracepoint</TD></TR><TR><TD>After Common SFTP Get File List Response</TD><TD>INFO</TD><TD>AFTER_REQUEST&nbsp;</TD></TR><TR><TD width="82.6797385620915%">After Common SFTP Get File List Response</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">AFTER_REQUEST</TD></TR><TR><TD width="82.6797385620915%">Before Common SFTP Get File Data Request</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">BEFORE_REQUEST</TD></TR><TR><TD width="82.6797385620915%">Before Common SFTP Get File List Request</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">BEFORE_REQUEST</TD></TR><TR><TD width="82.6797385620915%">Before Common SFTP Archive File Request</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">BEFORE_REQUEST</TD></TR><TR><TD width="82.6797385620915%">File Upload Request for BEFORE_REQUEST</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">BEFORE_REQUEST</TD></TR><TR><TD width="82.6797385620915%">File Upload to in SFTP mode. &gt;&gt;&gt; END</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">END</TD></TR><TR><TD width="82.6797385620915%">&nbsp;</TD><TD width="5.065359477124183%">&nbsp;</TD><TD width="12.091503267973856%">END</TD></TR><TR><TD width="82.6797385620915%">File Upload Request for f</TD><TD width="5.065359477124183%">ERROR</TD><TD width="12.091503267973856%">EXCEPTION</TD></TR><TR><TD width="82.6797385620915%">Error while trying to upload file to GCP from Common SFTP</TD><TD width="5.065359477124183%">ERROR</TD><TD width="12.091503267973856%">EXCEPTION</TD></TR><TR><TD width="82.6797385620915%">DEV(ERROR): Error while processing System request</TD><TD width="5.065359477124183%">INFO</TD><TD width="12.091503267973856%">BEFORE_REQUEST</TD></TR></TBODY></TABLE> Thu, 09 May 2024 17:28:41 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687078#M234340 karthi2809 2024-05-09T17:28:41Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687099#M234350 <P>So if a transaction has both ERROR and not ERROR, what do you want it to show?</P> Thu, 09 May 2024 22:01:54 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687099#M234350 ITWhisperer 2024-05-09T22:01:54Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687110#M234354 <P>If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID&nbsp;</P><DIV class=""><DIV class=""><PRE>| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId</PRE></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV>&nbsp;</DIV></DIV><DIV class=""><DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV> Fri, 10 May 2024 02:00:25 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687110#M234354 karthi2809 2024-05-10T02:00:25Z https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687135#M234367 <LI-CODE lang="markup">| eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId | eval Status=mvindex(Status, 0)</LI-CODE> Fri, 10 May 2024 08:06:31 GMT https://community.splunk.com/t5/Splunk-Search/Status-Field-Showing-Both-the-values-in-same-field/m-p/687135#M234367 ITWhisperer 2024-05-10T08:06:31Z