Hi Splunkers,
We have two slices in a pie chart. This is for deployment. One is for Successful log and another is for failure log. We are checking for the count for successful and failure logs. Consider, we have 10 successful log and 2 failure logs. Those two failure logs details have been analysed and deployments have happened and it got reflected in successful log as well, so that the overall count is 12 successful logs and 2 failure logs. Even though we have deployed the failed labels and those are reflecting fine in successful log slice, the same failure log is coming in failure log as well which is making mismatch in the original count. Is there any way to have the latest data alone in the pie chart.
Please note, we have pie chart and we are having two slices -> deployment success and deployment failure
@richgalloway Please find the query below.
index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| stats count by Deploy_Status
FYI, we have given field extractions for the comma delimiters
Output for this log is as below
ABC,project/env,7654321,jenkins-111111.mnopqrs.int-554@abc,Deployment_Failed
ABC,project/env,7654321,jenkins-121211.qwertyui.int-560,Deployment_Successful
Hi
one way is to use dedup with sortby option to get the latest/newest event only.
r. Ismo
It's possible to consider only the latest events, but there needs to be a field that distinguishes one set of failed/success events from another. I'm assuming that's the field with the value 7654321 in the sample logs.
index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF
| rex "([^,]+?,){2}(?<id>\d+)"
| dedup id
| stats count by Deploy_Status
The dedup command takes the most recent event with an unseen value in the given field. If the id field is already extracted (perhaps by another name) then you can remove the rex command and update dedup.