How to filter out results where an extra event is ...

Splunk Search

Hello,

I have events that look like this:

2021-05-27 14:33:44 UserId:123 Begin Fix for Issue:4354657687 <-- extra/delayed event logged after fix
2021-05-27 14:33:43 UserId:123 Fix Success!
2021-05-27 14:33:01 UserId:123 Begin Fix for Issue:4354657687
2021-05-27 14:32:32 UserId:123 Begin Fix for Issue:4354657687
2021-05-27 14:32:08 UserId:123 Begin Fix for Issue:4354657687
2021-05-27 14:31:47 UserId:123 Fix Success!
2021-05-27 14:31:25 UserId:123 Begin Fix for Issue:4353228391

I am making a search to return instances where a new issue has started but has not yet been fixed. If I grab the latest event and it begins with "Begin Fix" I am currently taking that and using it to calculate the duration where an issue is considered "ongoing". However, in some cases, my events occur so that there is an extra event with the same issue id that occurs AFTER the fix has occurred.

How should I go about this to only grab the latest event if its issue id has not been fixed yet?

Get Updates on the Splunk Community!

How to filter out results where an extra event is present

eval

field extraction

rex

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?