Re: Oldest 50 Tickest that are OPEN

cocomaster · ‎03-12-2019

I am having hard times to query the Splunk.
The data in splunk is a list of tickets and their updates over time i.e:

TIMESTAMP,TICKET_1,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(pending),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(on hold),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(closed),ASSIGNED_TO,...

I am looking for a way to find 50 Oldest tickets that are NOT closed.

How should i query the splunk knowing i have 5 years old database of tickets?

saurabh009 · ‎03-12-2019

Try out this query:-
Index=indexName sourcetype=sourcetypeName |search STATE != "closed"|sort _time|head 50

Search for AllTime as your data is pretty old, this may take sometime.

Oldest 50 Tickest that are OPEN

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms