How to filter out results where an extra event is ...

Splunk Search

Hello,

I have events that look like this:

2021-05-27 14:33:44 UserId:123 Begin Fix for Issue:4354657687 <-- extra/delayed event logged after fix
2021-05-27 14:33:43 UserId:123 Fix Success!
2021-05-27 14:33:01 UserId:123 Begin Fix for Issue:4354657687
2021-05-27 14:32:32 UserId:123 Begin Fix for Issue:4354657687
2021-05-27 14:32:08 UserId:123 Begin Fix for Issue:4354657687
2021-05-27 14:31:47 UserId:123 Fix Success!
2021-05-27 14:31:25 UserId:123 Begin Fix for Issue:4353228391

I am making a search to return instances where a new issue has started but has not yet been fixed. If I grab the latest event and it begins with "Begin Fix" I am currently taking that and using it to calculate the duration where an issue is considered "ongoing". However, in some cases, my events occur so that there is an extra event with the same issue id that occurs AFTER the fix has occurred.

How should I go about this to only grab the latest event if its issue id has not been fixed yet?

Get Updates on the Splunk Community!

How to filter out results where an extra event is present

eval

field extraction

rex

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?