Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How get a count of last Status

t_splunk_d
Path Finder
‎08-01-2017 06:06 PM

I trying figure out what is the best search query for reporting on the count of different unique status.
Following is the records:
ID NAME STATUS LASTUPDATEDTIME
1 Group1 Started 12:15
1 Group1 Processing 12:30
1 Group1 Transfering 12:45
1 Group1 Completed 1:06
2 Group1 Started 12:17
2 Group1 Processing 12:32
2 Group1 Transfering 12:46
3 Group1 Started 12:55

When I try | stats count by STATUS - it does give me the correct numbers.
I am looking for the result:

Started - 1
Completed - 1
Transferring - 1

I want to report count of last Status.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 02:27 AM

Hi
let me better understand your request:
each ID can have different status and you want to count only the occurrences of last status of each ID, correct?
If this is your request try something like this:

your_search 
| stats latest(STATUS) AS STATUS by ID 
| stats count by STATUS

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 02:27 AM

Hi
let me better understand your request:
each ID can have different status and you want to count only the occurrences of last status of each ID, correct?
If this is your request try something like this:

your_search 
| stats latest(STATUS) AS STATUS by ID 
| stats count by STATUS

Bye.
Giuseppe

Reply
Solved! Jump to solution

niketn
Legend
‎08-02-2017 02:10 AM

@t_splunk_d, | stats count by STATUS should be best way of finding count based on different unique status. Is there any issue that you are facing when you run this command?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎08-02-2017 02:22 AM

count of last status will always give you 1 if i understand the question correctly...
try the following, considering ID field is ID:
... |stats lastest(STATUS) by ID
hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...