https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94672#M24456 <P>One issue is that we have to know that the final status is resolved. Using a transaction may find the ticket simply in the open state or any other non-resolved state. So unfortunately we're forced into knowing the create time and deducing the last resolved time.</P> Wed, 19 Oct 2011 19:06:00 GMT lisa_1 2011-10-19T19:06:00Z https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94669#M24453 <P>The transaction command matches only the first instance of the specified endswith, however it's possible and likely that the transaction doesn't actually end there. Transaction should match on the last instance, but it doesn't.</P> <P>Is there a workaround for it? Consider a simple example:</P> <P><CODE><BR /> ticket=4000 transaction_type="Create" ticket_status="new"<BR /> ticket=4000 transactioon_type="Status" ticket_status="open"<BR /> ticket=4000 transaction_type="Status" ticket_status="resolved"<BR /> ticket=4000 transactioon_type="Status" ticket_status="open"<BR /> ticket=4000 transaction_type="Status" ticket_status="resolved"<BR /> </CODE></P> <P>As you can see the ticket is opened once (<CODE>startswith=Create</CODE>) but resolved twice with someone reopening the ticket in between. A simple <CODE>endswith=resolved</CODE> will miss the true resolution of the ticket and all kinds of metrics will be wrong.</P> <P>Is there a way to workaround this limitation and capture the final <CODE>ticket_status="resolved"</CODE> as the true end of the transaction for <CODE>ticket=4000</CODE>?</P> Wed, 19 Oct 2011 15:14:23 GMT https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94669#M24453 lisa_1 2011-10-19T15:14:23Z https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94670#M24454 <P>I wouldn't use endswith, since you want all events following "startswith". </P> <P>How about: <CODE>|transaction startswith=Create ticket|stats last(ticket_status) by ticket</CODE>?</P> Wed, 19 Oct 2011 15:33:16 GMT https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94670#M24454 alacercogitatus 2011-10-19T15:33:16Z https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94671#M24455 <P>In this case, do you need to use <CODE>startswith</CODE> or <CODE>endswith</CODE> at all? Can you simply transaction (or stats) on <CODE>ticket</CODE> alone?</P> <HR /> <P>Updated:</P> <P>If you need to know just the last state and time, you can do either:</P> <PRE><CODE>ticket=* | transaction ticket mvlist=ticket_status | where mvindex(ticket_status,-1)=="resolved" | eval lastresolvedtime=_time+duration </CODE></PRE> <P>or</P> <PRE><CODE>ticket=* | stats last(ticket_status) as last_status,first(_time) as start_time,last(_time) as end_time by ticket | where last_status=="resolved </CODE></PRE> Wed, 19 Oct 2011 18:38:25 GMT https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94671#M24455 gkanapathy 2011-10-19T18:38:25Z https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94672#M24456 <P>One issue is that we have to know that the final status is resolved. Using a transaction may find the ticket simply in the open state or any other non-resolved state. So unfortunately we're forced into knowing the create time and deducing the last resolved time.</P> Wed, 19 Oct 2011 19:06:00 GMT https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94672#M24456 lisa_1 2011-10-19T19:06:00Z https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94673#M24457 <P>updated answer</P> Wed, 19 Oct 2011 19:39:47 GMT https://community.splunk.com/t5/Splunk-Search/Matching-the-last-instance-of-quot-endswith-quot-in-a/m-p/94673#M24457 gkanapathy 2011-10-19T19:39:47Z