Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How get a count of last Status

t_splunk_d
Path Finder
‎08-01-2017 06:06 PM

I trying figure out what is the best search query for reporting on the count of different unique status.
Following is the records:
ID NAME STATUS LASTUPDATEDTIME
1 Group1 Started 12:15
1 Group1 Processing 12:30
1 Group1 Transfering 12:45
1 Group1 Completed 1:06
2 Group1 Started 12:17
2 Group1 Processing 12:32
2 Group1 Transfering 12:46
3 Group1 Started 12:55

When I try | stats count by STATUS - it does give me the correct numbers.
I am looking for the result:

Started - 1
Completed - 1
Transferring - 1

I want to report count of last Status.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 02:27 AM

Hi
let me better understand your request:
each ID can have different status and you want to count only the occurrences of last status of each ID, correct?
If this is your request try something like this:

your_search 
| stats latest(STATUS) AS STATUS by ID 
| stats count by STATUS

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 02:27 AM

Hi
let me better understand your request:
each ID can have different status and you want to count only the occurrences of last status of each ID, correct?
If this is your request try something like this:

your_search 
| stats latest(STATUS) AS STATUS by ID 
| stats count by STATUS

Bye.
Giuseppe

Reply
Solved! Jump to solution

niketn
Legend
‎08-02-2017 02:10 AM

@t_splunk_d, | stats count by STATUS should be best way of finding count based on different unique status. Is there any issue that you are facing when you run this command?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎08-02-2017 02:22 AM

count of last status will always give you 1 if i understand the question correctly...
try the following, considering ID field is ID:
... |stats lastest(STATUS) by ID
hope it helps

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...