How to count the last event if the last event =Ope...

rhondapace · ‎03-01-2019

I want to create a report which shows me the count of events if the first Event action = Open
Event Action Timestamp
123 Open 22-01-2019
123 Complete 23-01-2019
345 Open 22-01-2019
678 Open 24-01-2019
678 Open 25-01-2019
678 Closed 25-02-2019
999 Pending 22-01-2019
999 Closed 22-02-2019
999 Open 22-03-2019

Count of Open = 2

lakshman239 · ‎03-01-2019

you could do something like

index=* | stats count(Action) by Timestamp - that will show 2 for 22-01-2019.

rhondapace · ‎03-01-2019

Thank you for your response, however I am looking for a way to count only the earliest event where Action=Open. I do not want to count any event where the earliest action is not Open. I am new to Splunk so I apologize if this is not clear. Something like this:

Action Count
Open 2

In my example 123 would not be counted and 678 would not be counted. Count 345 and 999.

Any help you can provide is appreciated.

rhondapace · ‎03-01-2019

Thank you, I appreciate your input. You are correct, that will show me the count by timestamp. What I really need is the count for the action, only if the earliest action = Open... any ideas for that? I would like my result to look like this:

Action Count
Open 2

How to count the last event if the last event =Open

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!