Splunk Search

How to edit my search to show the last successful server imaging ("Build Succeeded") from the the failures ("Build Failed")?

rlseafor
New Member
sourcetype="my_sourcetype" ("Build Failed" NOT "Build Succeeded") earliest=@d+2h | rename host as "Imaging Server" | table "Imaging Server", _time | sort - count | sort -_time

This shows me what servers have not imaged correctly each night. I then want to have the last successful build from the failures. Any recommendations?

Tags (2)
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@rlseafor - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

starcher
Influencer

I don't have your example data but maybe try something like the following assuming you have the buildstate extracted into a field.

... | stats max(_time) as latestSeen by host, buildstate | xyseries host buildstate latestSeen | rename latestSeen:* as *

You could then sort on the time. maybe do some math on the gap between the time values in the buildstate columns at the end.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...