Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display Event_Status change?

priyankamundarg
Explorer
‎08-03-2016 03:48 AM

In a log file I have one field with name EVENT_STATUS. It has 3 values 1.Accepted 2. Pending 3. Rejected
I have designed a dashboard to track the Status of Customer ID.(Initially it will be Pending. once administration approves it then its changed to Accepted)
I would like to display those customer ID which are in Pending status. Once the pending state is changed to Accepted it should go away from the Panel.

index=* source=* EVENT_STATUS="*" Cust_ID | where EVENT_STATUS="PENDING" OR EVENT_STATUS="REJECTED"|search latest(EVENT_STATUS)| table Cust_ID , Cust_NAME ,EVENT_STATUS , EVENT_TIME.

Please specify the correct query.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 06:44 AM

Try this. This allows for cases where EVENT_STATUS can go from Rejected to Pending

index=xyz source=abc EVENT_STATUS=*  Cust_ID=* | stats latest(EVENT_STATUS) as Status by Cust_ID | where Status="Pending"

Use the refresh attribute on the dashboard to set how frequently, in seconds, to refresh the dashboard.
For example, sets the refresh rate to 5 minutes.

https://answers.splunk.com/answers/102621/automatically-refresh-dashboard.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 08:10 AM

If you're only interested in Pending customers, this should do it.

index=foo EVENT_STATUS="Pending" | dedup EVENT_STATUS, Cust_ID | table Cust_ID , Cust_NAME ,EVENT_STATUS , EVENT_TIME
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

priyankamundarg
Explorer
‎08-03-2016 08:14 AM

I tried this way. When status is changed from PENDING to ACCEPTED the cust id still remains in the panel. It will not vanish.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 06:44 AM

Try this. This allows for cases where EVENT_STATUS can go from Rejected to Pending

index=xyz source=abc EVENT_STATUS=*  Cust_ID=* | stats latest(EVENT_STATUS) as Status by Cust_ID | where Status="Pending"

Use the refresh attribute on the dashboard to set how frequently, in seconds, to refresh the dashboard.
For example, sets the refresh rate to 5 minutes.

https://answers.splunk.com/answers/102621/automatically-refresh-dashboard.html

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...