Solved: Help on this record select

yangadounb · ‎08-23-2022

I have the record like this:

_time id status

1 x yes

1 x no

2 x yes

1 x unknow

I want to return the record based on status value: if status has yes ,then return the lasted row that has yes. if there is none yes value then I want the row with no, if there is none yes or none no, return unknow row.

ITWhisperer · ‎08-23-2022

| eval stat=case(status="yes",0,status="no",1,status="unknow",2)
| sort 0 stat - _time
| head 1

View solution in original post

yangadounb · ‎08-23-2022

_time id status

1 x yes

1 x no

2 x yes

1 x unknow

1 y yes

1 y no

2 y yes

1 y unknow

2 z yes

1 z unknow

ITWhisperer · ‎08-23-2022

| eval stat=case(status="yes",0,status="no",1,status="unknow",2)
| sort 0 stat - _time
| streamstats count by id
| where count = 1

ITWhisperer · ‎08-23-2022

| eval stat=case(status="yes",0,status="no",1,status="unknow",2)
| sort 0 stat - _time
| head 1

yangadounb · ‎08-23-2022

sorry not to make this clear , I have more records than that.

Help on this record select

other

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM