Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you return the latest value only if it's not equal to "closed"?

stike100
New Member
‎03-08-2019 11:09 AM

I'm having a tough time figuring this one out for some reason. The datasource I am using contains multiple records based on the ID with a second field called status that could be equal to (Closed, Open, In Progress). What I am wanting is to only return the latest record, but only on IDs that have not been closed already. Simplified the query to focus on just this issue. 

index=XXX sourcetype=DDDD 
| fields ID, status, openDate, lastUpdateDate 
| dedup ID
| where status!="Closed"
| table ID, status, openDate, lastUpdateDate

When I run it, I get all the Open and In progress latest records, but I am also getting the last open or in progress record for records that have been closed already, and I want to ignore those all together.

Hopefully that makes sense!

Thanks for any help!

Tags (1)
0 Karma
Reply

Vijeta
Influencer
‎03-08-2019 04:01 PM

Try this 

 index=XXX sourcetype=DDDD 
 | fields ID, status, openDate, lastUpdateDate 
 | stats latest(status) as status ,earliest(openDate) as openDate, latest(lastUpdateDate) as UpdateDate by ID
 | where status!="Closed"
 | table ID, status, openDate, lastUpdateDate
0 Karma
Reply

somesoni2
Revered Legend
‎03-08-2019 11:22 AM

Give this a try

index=XXX sourcetype=DDDD 
| fields ID, status, openDate, lastUpdateDate 
| stats list(status) as status values(openDate) as openDate list(lastUpdateDate) as lastUpdateDate by ID
| where isnull(mvfind(status,"Closed"))
| eval status=mvindex(status,0) | eval lastUpdateDate=mvindex(lastUpdateDate ,0)
| table ID, status, openDate, lastUpdateDate
0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...