Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event logs are related to incidents ; each log having an incident number and the state of that incident along with other attributes.

bineetadas
New Member
‎11-03-2019 11:29 PM

If a certain incident is in resolved/closed state I want all logs pertaining to that incident to be excluded from the search i.e. logs which also have that same incident in say Open/Assigned/WIP state. In other words, I want to create a table in Splunk with all these incidents which havent been closed/resolved.

My query:

index= xxxx source= xxxxx (state!="Closed*" AND state!="Resolved")
|dedup number
|table number Timestamps priority "Age(in Days)" text Status

the problem with this query is that if an incident(number field) has been resolved, splunk will simply exclude that log and instead take up the last recent log for that incident and show it as "Assigned" or "WIP" state which is incorrect.

Hoping for an accurate solution. Have been stuck up with this for days 😠

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎11-04-2019 12:00 AM

@bineetadas ,

Find the latest status of an incident number and filter based on that

index= xxxx source= xxxxx |stats latest(state) as state,latest( "other required fields" ) by number
|where state!="Closed*" OR state!="Resolved"

If you want history of states, replace stats with eventstats

    index= xxxx source= xxxxx |eventstats latest(state) as latest_state by number
    |where latest_state !="Closed*" OR latest_state!="Resolved"
    |fields "Your required fields"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

bineetadas
New Member
‎11-04-2019 06:28 AM

Yeah..that's fine but does not really answer my question! stats or eventstats in the above cases would yes pick up the latest status for that incident but what I want is if an incident has been resolved or closed..then all splunk logs for that incident be removed from the search and, the table just display incidents which havent been closed/resolved.. is that possible?

0 Karma
Reply

renjith_nair
Legend
‎11-05-2019 05:49 AM

@bineetadas , thats what the where condition does

e.g.

incident# , state
1 , open
1, progress
2,open
1,closed

stats latest(state) as state by number gives you

incident# , state
1,closed
2 , open

where state!="Closed*" OR state!="Resolved" filters out first row results in

incident# , state
2 , open

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...