Splunk Search

Latest event filter on status- How to get the failed tasks?

splunkuser320
Path Finder

I have a query that is giving the latest event of the task but I want to filter the query for a status

 

<base query>

| stats latest(status) as Status latest(time) as Time by TASK_NAME

Results:

TASK_NAME          Status                           Time

TASK 1                      Passed                         2023-05-19T01:32:28

TASK 2                     Failed                            2023-05-19T01:35:28

TASK 3                     Passed                         2023-05-19T01:15:28

TASK 4                    Passed                          2023-05-19T05:32:28

 

I just wants all the failed tasks

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkuser320,

did you tried to filer events in the main search?

<base query>
| search status="failed"
| stats latest(status) as Status latest(time) as Time by TASK_NAME

if there's the possibility that a task can have more than a status in the period, you can put the filter at the end of the search

<base query>
| stats latest(status) as Status latest(time) as Time by TASK_NAME
| search status="failed"

Ciao.

Giuseppe

0 Karma

splunkuser320
Path Finder

I tried this but the query is giving all the events. I want to get only the latest event. 

0 Karma

yeahnah
Motivator

Just remove the group by clause then...

 

...<your query>...
| search Status="failed"
| stats latest(*) AS *

 

By default, Splunk lists events with the latest first so you could even do this

 

...your base query... Status="failed"
| head 1

 

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...