Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event logs are related to incidents ; each log having an incident number and the state of that incident along with other attributes.

bineetadas
New Member
‎11-03-2019 11:29 PM

If a certain incident is in resolved/closed state I want all logs pertaining to that incident to be excluded from the search i.e. logs which also have that same incident in say Open/Assigned/WIP state. In other words, I want to create a table in Splunk with all these incidents which havent been closed/resolved.

My query:

index= xxxx source= xxxxx (state!="Closed*" AND state!="Resolved")
|dedup number
|table number Timestamps priority "Age(in Days)" text Status

the problem with this query is that if an incident(number field) has been resolved, splunk will simply exclude that log and instead take up the last recent log for that incident and show it as "Assigned" or "WIP" state which is incorrect.

Hoping for an accurate solution. Have been stuck up with this for days 😠

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎11-04-2019 12:00 AM

@bineetadas ,

Find the latest status of an incident number and filter based on that

index= xxxx source= xxxxx |stats latest(state) as state,latest( "other required fields" ) by number
|where state!="Closed*" OR state!="Resolved"

If you want history of states, replace stats with eventstats

    index= xxxx source= xxxxx |eventstats latest(state) as latest_state by number
    |where latest_state !="Closed*" OR latest_state!="Resolved"
    |fields "Your required fields"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

bineetadas
New Member
‎11-04-2019 06:28 AM

Yeah..that's fine but does not really answer my question! stats or eventstats in the above cases would yes pick up the latest status for that incident but what I want is if an incident has been resolved or closed..then all splunk logs for that incident be removed from the search and, the table just display incidents which havent been closed/resolved.. is that possible?

0 Karma
Reply

renjith_nair
Legend
‎11-05-2019 05:49 AM

@bineetadas , thats what the where condition does

e.g.

incident# , state
1 , open
1, progress
2,open
1,closed

stats latest(state) as state by number gives you

incident# , state
1,closed
2 , open

where state!="Closed*" OR state!="Resolved" filters out first row results in

incident# , state
2 , open

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...