Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to query events where the latest event field is only a specific value?

Glasses
Builder
‎04-23-2021 02:05 PM

Hi

I have a request to find all users that have outcome=fail as the latest event. The outcome can be fail or success

for example >>> index=foo |stats latest(outcome) by user _time

Joe fail 2021-04-23 19:57:25.998
Joe success 2021-04-23 19:40:05.888

Trying to write a query where the result is only users with a fail as last outcome, not success as last outcome.
Any advice appreciated, TY!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-23-2021 02:50 PM

So, you're looking for outcome events by user, so your by clause of your stats should reflect that... (no need for by _time as well)... Then you can use a where or search command to limit the output of your stats command, like so:

index=foo outcome=* user=*
| stats latest(_time) latest(outcome) by user
| rename latest(*) -> *
| where outcome="fail"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-23-2021 02:50 PM

So, you're looking for outcome events by user, so your by clause of your stats should reflect that... (no need for by _time as well)... Then you can use a where or search command to limit the output of your stats command, like so:

index=foo outcome=* user=*
| stats latest(_time) latest(outcome) by user
| rename latest(*) -> *
| where outcome="fail"
0 Karma
Reply
Solved! Jump to solution

Glasses
Builder
‎04-23-2021 03:33 PM

Thank you, that works...

I want to look historically over 24 hours or 7 days,  so I tried to bin _time span=1h  and it didn't work...

Any ideas how to apply historic searches to that... 

for example running the following over 24hours...  I know its faulty depending on when the time break is but that is good enough...

 

index=foo outcome=* user=*
| bin _time span=5m   
| stats latest(_time) latest(outcome) by user
| rename latest(*)= *
| where outcome="fail"

 

In other words, I want to check 5 minute intervals for the lastest outcome as a fail.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...