Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display Event_Status change?

priyankamundarg
Explorer
‎08-03-2016 03:48 AM

In a log file I have one field with name EVENT_STATUS. It has 3 values 1.Accepted 2. Pending 3. Rejected
I have designed a dashboard to track the Status of Customer ID.(Initially it will be Pending. once administration approves it then its changed to Accepted)
I would like to display those customer ID which are in Pending status. Once the pending state is changed to Accepted it should go away from the Panel.

index=* source=* EVENT_STATUS="*" Cust_ID | where EVENT_STATUS="PENDING" OR EVENT_STATUS="REJECTED"|search latest(EVENT_STATUS)| table Cust_ID , Cust_NAME ,EVENT_STATUS , EVENT_TIME.

Please specify the correct query.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 06:44 AM

Try this. This allows for cases where EVENT_STATUS can go from Rejected to Pending

index=xyz source=abc EVENT_STATUS=*  Cust_ID=* | stats latest(EVENT_STATUS) as Status by Cust_ID | where Status="Pending"

Use the refresh attribute on the dashboard to set how frequently, in seconds, to refresh the dashboard.
For example, sets the refresh rate to 5 minutes.

https://answers.splunk.com/answers/102621/automatically-refresh-dashboard.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 08:10 AM

If you're only interested in Pending customers, this should do it.

index=foo EVENT_STATUS="Pending" | dedup EVENT_STATUS, Cust_ID | table Cust_ID , Cust_NAME ,EVENT_STATUS , EVENT_TIME
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

priyankamundarg
Explorer
‎08-03-2016 08:14 AM

I tried this way. When status is changed from PENDING to ACCEPTED the cust id still remains in the panel. It will not vanish.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 06:44 AM

Try this. This allows for cases where EVENT_STATUS can go from Rejected to Pending

index=xyz source=abc EVENT_STATUS=*  Cust_ID=* | stats latest(EVENT_STATUS) as Status by Cust_ID | where Status="Pending"

Use the refresh attribute on the dashboard to set how frequently, in seconds, to refresh the dashboard.
For example, sets the refresh rate to 5 minutes.

https://answers.splunk.com/answers/102621/automatically-refresh-dashboard.html

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...