Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count the last event if the last event =Open

rhondapace
New Member
‎03-01-2019 07:00 AM

I want to create a report which shows me the count of events if the first Event action = Open
Event Action Timestamp
123 Open 22-01-2019
123 Complete 23-01-2019
345 Open 22-01-2019
678 Open 24-01-2019
678 Open 25-01-2019
678 Closed 25-02-2019
999 Pending 22-01-2019
999 Closed 22-02-2019
999 Open 22-03-2019

Count of Open = 2

Tags (1)
0 Karma
Reply

lakshman239
Influencer
‎03-01-2019 07:33 AM

you could do something like

index=* | stats count(Action) by Timestamp - that will show 2 for 22-01-2019.

0 Karma
Reply

rhondapace
New Member
‎03-01-2019 07:50 AM

Thank you for your response, however I am looking for a way to count only the earliest event where Action=Open. I do not want to count any event where the earliest action is not Open. I am new to Splunk so I apologize if this is not clear. Something like this:

Action Count
Open 2

In my example 123 would not be counted and 678 would not be counted. Count 345 and 999.

Any help you can provide is appreciated.

0 Karma
Reply

rhondapace
New Member
‎03-01-2019 07:43 AM

Thank you, I appreciate your input. You are correct, that will show me the count by timestamp. What I really need is the count for the action, only if the earliest action = Open... any ideas for that? I would like my result to look like this:

Action Count
Open 2

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...