Reporting

How to count the last event if the last event =Open

rhondapace
New Member

I want to create a report which shows me the count of events if the first Event action = Open
Event Action Timestamp
123 Open 22-01-2019
123 Complete 23-01-2019
345 Open 22-01-2019
678 Open 24-01-2019
678 Open 25-01-2019
678 Closed 25-02-2019
999 Pending 22-01-2019
999 Closed 22-02-2019
999 Open 22-03-2019

Count of Open = 2

Tags (1)
0 Karma

lakshman239
Influencer

you could do something like

index=* | stats count(Action) by Timestamp - that will show 2 for 22-01-2019.

0 Karma

rhondapace
New Member

Thank you for your response, however I am looking for a way to count only the earliest event where Action=Open. I do not want to count any event where the earliest action is not Open. I am new to Splunk so I apologize if this is not clear. Something like this:

Action Count
Open 2

In my example 123 would not be counted and 678 would not be counted. Count 345 and 999.

Any help you can provide is appreciated.

0 Karma

rhondapace
New Member

Thank you, I appreciate your input. You are correct, that will show me the count by timestamp. What I really need is the count for the action, only if the earliest action = Open... any ideas for that? I would like my result to look like this:

Action Count
Open 2

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...