Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count the last event if the last event =Open

rhondapace
New Member
‎03-01-2019 07:00 AM

I want to create a report which shows me the count of events if the first Event action = Open
Event Action Timestamp
123 Open 22-01-2019
123 Complete 23-01-2019
345 Open 22-01-2019
678 Open 24-01-2019
678 Open 25-01-2019
678 Closed 25-02-2019
999 Pending 22-01-2019
999 Closed 22-02-2019
999 Open 22-03-2019

Count of Open = 2

Tags (1)
0 Karma
Reply

lakshman239
Influencer
‎03-01-2019 07:33 AM

you could do something like

index=* | stats count(Action) by Timestamp - that will show 2 for 22-01-2019.

0 Karma
Reply

rhondapace
New Member
‎03-01-2019 07:50 AM

Thank you for your response, however I am looking for a way to count only the earliest event where Action=Open. I do not want to count any event where the earliest action is not Open. I am new to Splunk so I apologize if this is not clear. Something like this:

Action Count
Open 2

In my example 123 would not be counted and 678 would not be counted. Count 345 and 999.

Any help you can provide is appreciated.

0 Karma
Reply

rhondapace
New Member
‎03-01-2019 07:43 AM

Thank you, I appreciate your input. You are correct, that will show me the count by timestamp. What I really need is the count for the action, only if the earliest action = Open... any ideas for that? I would like my result to look like this:

Action Count
Open 2

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...