Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Count Last event by id and version

cros
Engager
‎01-08-2021 01:07 AM

Hi all, 

I'm trying to create a visualisation to show the percentage of ticket status (New, Comleted, Cancelled, etc.). 

I tried with this search : 

 

| stats latest(_time) as Time by "Record Number", PI_Number, PI_Event_Status

 

 

I have ticket with Record Number (id), Number (Version), Status. I want to take the last ticket event of the version and get his status. In order to count the current status of each event on the system. 

The result is the following : 

Record NumberNumberStatus_time
118671141Completed - Owner Action Required1472175180
118671141New1471951740
122975221Completed - Nothing Found1477321800
122975221Investigating1475829120
122975221New1475735400
122975222Completed - Error/Workaround Found1479229260
122975222New1479198300
122975223Completed - Recovery PTR Open1482241320
122975223New1482226920

 

With my stats command i'm not able to retrieve only last event for each version of a ticket. How i can do that ? 

 

Regards,

Clément

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-08-2021 01:59 AM 
| stats latest(_time) as Time, latest(PI_Event_Status) as PI_Event_Status by "Record Number", PI_Number
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...