Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to select latest events based on some condition?

dineshCool
New Member
‎06-06-2019 07:21 AM

Hi Guys,

Please help with this below scenario.

I have events like this

alt text

Now I want to take the events has a "success" status. Here I need to display the results in the same format which mentioned in the snapshot.

I tried with below query but it's not giving me the correct data

 |<base_query> 
    |stats earliest(status) AS earliest_state,latest(_time) latest(status) AS latest_state BY Name_Of_the_Job |eval job_status=if(earliest_state="SUCCESS","SUCCESS","FAIL") |table host,   Application_name,   Job_name,   job_duration,   _time,  status

Thanks in advance

Preview file
6 KB
0 Karma
Reply

FrankVl
Ultra Champion
‎06-12-2019 02:52 AM

You could try something like this:

|<base_query> 
|stats max(status) AS state BY host, Application_name,  Job_name

Since Success > Fail (lexicographically), if there is a Success, max(status) will return that, if there are only Fail values, it will return Fail.

0 Karma
Reply

dmarling
Builder
‎06-06-2019 08:28 AM

Your table after the stats line is containing fields that are not being passed through by the stats. Stats is a transforming command, not a streaming command. You will have to pass through the application_name and job_duration for it to work. You'll need to decide which duration you want for this. Do you want the earliest duration, the latest duration, a sum of durations, or some other statistical command on the duration? Your title is saying you want the latest events based on a condition, but your eval |eval job_status=if(earliest_state="SUCCESS","SUCCESS","FAIL") is stating if the earliest status that returns is successful, I am classifying "job_status" as "SUCCESS". You aren't using the "latest_state" field.

We need to understand your goal a bit better. What is the expected out come you are looking for on your output based on your sample data you provided?

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

dineshCool
New Member
‎06-06-2019 11:18 PM

Thanks for the response. My goal is to achieve to fetch the events status has "success" in any of the previous or latest run. but at the same time it has to consider the events has fail also. if the job ran multiple times and the status of the job remains "Fail", then the fail status should appear in the table.

0 Karma
Reply

dmarling
Builder
‎06-07-2019 08:13 AM

Is there a window on this analysis? If it ran 5 times do you only care about the results of the last three? Is failure defined as every run ever failing or only the last x number of runs that you define as your window failing in a row?

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

dineshCool
New Member
‎06-12-2019 02:45 AM

I have plenty of the events like this and i am not using any window for analysis.
The jobs may run multiple times but it has to consider the "status". if any of the previous run in "success" then it has to take the event has success. But if there is any failure in the result set , then the result should be in "FAIL".

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...