I have following events:
TicketId SplunkTimeStamp Version 6.1608E+14 8/5/2016 8:32 16 6.1608E+14 8/4/2016 9:40 6.1608E+14 8/4/2016 8:50 6.1608E+14 8/4/2016 23:44 16 6.1608E+14 8/4/2016 8:00 6.1608E+14 8/4/2016 7:10
I want to get the total number of tickets by Version. Since some of the earlier events of the ticket do not have Version, to avoid a double count, I did:
index=events |eventstats latest(Version) as V by TickettId|stats dc(TicketId) as Total by V
However, the Total did not count the ticket having one event and with a version, such as
TicketId SplunkTimeStamp Version 11111111 8/4/2016 10:44 16 22222222 8/3/2016 10:44 15
So the total number is less than expected.
I don't know if I fully understand. Does the same ticket have multiple versions that increment? And you want to count the latest version of that particular ticket? If so, "max" might work
index=events |eventstats max(Version) as V by TickettId |stats count(V) as COUNT by V TickettId
Give this a try
index=events | reverse | filldown V |eventstats latest(Version) as V by TickettId|stats dc(TicketId) as Total by V
Not sure if you tried my solution and (after it worked for you) accepted the answer. If @JDukeSplunk is what you're implementing, go ahead and accept that answer (converted his comment to answer).