Hello Splunkers,
I have the following query returning the search results,
index="demo1"
| search "metrics.job.overall_status"="FAILED" OR "metrics.job.overall_status"="PASSED" metrics.app="*"
| eval timestamp=strftime(floor('metrics.job.end_ts'), "%Y-%m-%d %H:%M:%S")
| sort 0 metrics.app timestamp
| streamstats current=f last(metrics.job.overall_status) as prev_status last(timestamp) as prev_timestamp by metrics.app
| fillnull value="NONE" prev_status
| fillnull value="NONE" prev_timestamp
| eval failed_timestamp=if(metrics.job.overall_status="FAILED" AND (prev_status="NONE" OR prev_status!="FAILED"), timestamp, null())
| table metrics.app, metrics.job.overall_status, prev_status, timestamp, prev_timestamp,failed_timestamp
The result is null in every entry. What is wrong?
even though there are FAILED status with the above specified conditions but the failed_timestamp results are null()
can anyone please share how to correct this...
