I have written a splunk query and used streamstats command to make my output look like this:
Query Used:
...
| streamstats current= f last(History) as Status by Ticket Id
| ...
Current Output:
| Ticket ID |
Priority |
Status |
|
1234
4321
5678
|
P1 |
Closed
In Progress
|
| 8765 |
P2 |
Closed |
However I want to remove the record 4321 and look at all the closed tickets for Priority P1 and P2, but since it is also of P1 priority the entire record is getting removed for P1 when I use this query:
...
| streamstats current= f last(History) as Status by Ticket Id
| where NOT Status IN ("In Progress")
| ...
Output:
| Ticket ID |
Priority |
Status |
| 8765 |
P2 |
Closed |
How do I only remove 4321 as it is "In Progress" Status. Please help.
Expected Output:
| Ticket ID |
Priority |
Status |
| 1234 5678 |
P1 |
Closed |
| 8765 |
P2 |
Closed |
