Splunk Search

OR Search latest results

DonBaldini
Path Finder

I have a search that links problem and problem task tables with a scenario that gives unexpected results

My search brings back the latest ptasks against the problem but I have identified some tasks that were closed as duplicate after the last update on the active tasks

(`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold")
| eval problem=if(sourcetype="problem",number,dv_problem)
| stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem
| fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active
| where problem!=""

Is it possible to mark an event that is closed as out of scope then disclude all the events of the same number?

Labels (1)
0 Karma

DonBaldini
Path Finder

DonBaldini_0-1726753005454.png

Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in my results

0 Karma

PaulPanther
Motivator

Sorry, still not clear for me how the expected outcome should look like.

0 Karma

DonBaldini
Path Finder

I dont want any of the events for a ptask where there is result of task_active=false

I can't just do a search for task_active=true because it just brings back events from when the ptasks that are now task_active=false from when they were previously true

I was thinking of a solution of having a marker before I did the stats latest
| eval OutOfScope=if(task_active="false",1,0)

then I'd need something to say if for number if one event is OutOfScope=1 then all events for that ptask number are OutOfScope=1

0 Karma

PaulPanther
Motivator

Please try:

 

(`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold")
| eval problem=if(sourcetype="problem",number,dv_problem)
| stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem
| fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active
| search problem!="" AND task_active!=false
0 Karma

DonBaldini
Path Finder

I need to omit all events for a ptask that is now task_active=false, not just the latest event, this is why I need to do something before the stats latest.

If I do stats values instead of stats latest I want the green events but the red events are causing issues with my data as they were more recent. Not sure if you saw my previous post but I was hoping there would be a way to put an out of scope marker throughout all the unwanted events

DonBaldini_0-1726755149945.png

 

0 Karma

PaulPanther
Motivator

Please share the raw events from the shared example. 

0 Karma

PaulPanther
Motivator

Do you wanna filter out some events based on the results that are produced by our shared search? Would be great if you could clarify the expected outcome.

Furthermore please provide some sample data.

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...