Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to show the last successful server imaging ("Build Succeeded") from the the failures ("Build Failed")?

rlseafor
New Member
‎02-07-2017 04:17 PM 
sourcetype="my_sourcetype" ("Build Failed" NOT "Build Succeeded") earliest=@d+2h | rename host as "Imaging Server" | table "Imaging Server", _time | sort - count | sort -_time

This shows me what servers have not imaged correctly each night. I then want to have the last successful build from the failures. Any recommendations?

Tags (2)
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-11-2017 10:15 AM

@rlseafor - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

starcher
Influencer
‎02-08-2017 08:04 AM

I don't have your example data but maybe try something like the following assuming you have the buildstate extracted into a field.

... | stats max(_time) as latestSeen by host, buildstate | xyseries host buildstate latestSeen | rename latestSeen:* as *

You could then sort on the time. maybe do some math on the gap between the time values in the buildstate columns at the end.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...