Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event logs are related to incidents ; each log having an incident number and the state of that incident along with other attributes.

bineetadas
New Member
‎11-03-2019 11:29 PM

If a certain incident is in resolved/closed state I want all logs pertaining to that incident to be excluded from the search i.e. logs which also have that same incident in say Open/Assigned/WIP state. In other words, I want to create a table in Splunk with all these incidents which havent been closed/resolved.

My query:

index= xxxx source= xxxxx (state!="Closed*" AND state!="Resolved")
|dedup number
|table number Timestamps priority "Age(in Days)" text Status

the problem with this query is that if an incident(number field) has been resolved, splunk will simply exclude that log and instead take up the last recent log for that incident and show it as "Assigned" or "WIP" state which is incorrect.

Hoping for an accurate solution. Have been stuck up with this for days 😠

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎11-04-2019 12:00 AM

@bineetadas ,

Find the latest status of an incident number and filter based on that

index= xxxx source= xxxxx |stats latest(state) as state,latest( "other required fields" ) by number
|where state!="Closed*" OR state!="Resolved"

If you want history of states, replace stats with eventstats

    index= xxxx source= xxxxx |eventstats latest(state) as latest_state by number
    |where latest_state !="Closed*" OR latest_state!="Resolved"
    |fields "Your required fields"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

bineetadas
New Member
‎11-04-2019 06:28 AM

Yeah..that's fine but does not really answer my question! stats or eventstats in the above cases would yes pick up the latest status for that incident but what I want is if an incident has been resolved or closed..then all splunk logs for that incident be removed from the search and, the table just display incidents which havent been closed/resolved.. is that possible?

0 Karma
Reply

renjith_nair
Legend
‎11-05-2019 05:49 AM

@bineetadas , thats what the where condition does

e.g.

incident# , state
1 , open
1, progress
2,open
1,closed

stats latest(state) as state by number gives you

incident# , state
1,closed
2 , open

where state!="Closed*" OR state!="Resolved" filters out first row results in

incident# , state
2 , open

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...