topic OR Search latest results in Splunk Search

OR Search latest results

DonBaldini — Thu, 19 Sep 2024 10:15:34 GMT

I have a search that links problem and problem task tables with a scenario that gives unexpected results

My search brings back the latest ptasks against the problem but I have identified some tasks that were closed as duplicate after the last update on the active tasks

(`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold")
| eval problem=if(sourcetype="problem",number,dv_problem)
| stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem
| fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active
| where problem!=""

Is it possible to mark an event that is closed as out of scope then disclude all the events of the same number?

Re: OR Search latest results

PaulPanther — Thu, 19 Sep 2024 13:31:05 GMT

Do you wanna filter out some events based on the results that are produced by our shared search? Would be great if you could clarify the expected outcome.

Furthermore please provide some sample data.

Re: OR Search latest results

DonBaldini — Thu, 19 Sep 2024 13:38:13 GMT

Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in my results

Re: OR Search latest results

PaulPanther — Thu, 19 Sep 2024 13:51:14 GMT

Sorry, still not clear for me how the expected outcome should look like.

Re: OR Search latest results

DonBaldini — Thu, 19 Sep 2024 14:06:35 GMT

I dont want any of the events for a ptask where there is result of task_active=false

I can't just do a search for task_active=true because it just brings back events from when the ptasks that are now task_active=false from when they were previously true

I was thinking of a solution of having a marker before I did the stats latest
| eval OutOfScope=if(task_active="false",1,0)

then I'd need something to say if for number if one event is OutOfScope=1 then all events for that ptask number are OutOfScope=1

Re: OR Search latest results

PaulPanther — Thu, 19 Sep 2024 14:06:49 GMT

Please try:

(`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold")
| eval problem=if(sourcetype="problem",number,dv_problem)
| stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem
| fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active
| search problem!="" AND task_active!=false

Re: OR Search latest results

DonBaldini — Thu, 19 Sep 2024 14:14:37 GMT

I need to omit all events for a ptask that is now task_active=false, not just the latest event, this is why I need to do something before the stats latest.

If I do stats values instead of stats latest I want the green events but the red events are causing issues with my data as they were more recent. Not sure if you saw my previous post but I was hoping there would be a way to put an out of scope marker throughout all the unwanted events

Re: OR Search latest results

PaulPanther — Thu, 19 Sep 2024 15:29:57 GMT

Please share the raw events from the shared example.