Search query :1
index="main" earliest=06/01/2019:00:00:00 latest=now | stats first(status) by src destination port
Search query : 2
index="main" earliest=06/01/2019:00:00:00 latest=now | stats latest(status) by src destination port
I have used first and latest command in stats.
There 2 status in the events like "STATE UP" and "STATE DOWN". I would like fetch the latest event with latest status field. But if i am searching the above query it is showing the both.(STATE UP and STATE DOWN). I would like display the latest either "status up or status down".
Someone help me to find the solution.
Current Results:
src destination port first(status)
XXX YYY 443 State DOWN
XXX YYY 443 State UP
Hi Jacobevans,
Thank you for the query. But i am expecting the different results. In netscaler, The events will trigger when there is a status change from UP to DOWN or DOWN to UP. I would like to display the latest status with respect to source and destination. You query gives all the results which is not expected one
Example : I have 3 events
10/17/19 7:05 PM : Status was DOWN
10/17/19 7:06 PM : Status was UP
10/17/19 7:07 PM : Status was DOWN
expected out put should be the current status, Like below:
STATE was DOWN(Because this status is the latest)