Solved: SPL Query

SabariRajanT · ‎12-16-2020

Hello Team,

I have my service now ticketing logs enabled into my splunk. I do required a below help and suggestions.

Look at the ticketing status goes like "draft" "Recover" "Cancelled" "Analysis" "Closed"

Suppose ticket #2345 starts with draft then goes on recover then to analysis then to closed state

Here we go to pull current status of the ticket #2345 in splunk search by below SPL query for last 24hours.

index=main source=xyz dv_state=* dv_opened_by=pox OR dv_opened_by=IOP |dedup number dv_state |TABLE number dv_state,dv_opened by, dv_opened_at

Search answer: I am getting ticket status 2345 as "draft". But actually ticket is in closed state.

Am looking #2345 ticket should show only in closed state. let me know what went wrong.

My expectation : If the #2345 ticket went through closed state what will be the spl query for last 24hours.?

saravanan90 · ‎12-16-2020

We can use stats with last.

index=main source=xyz dv_state=* dv_opened_by=pox OR dv_opened_by=IOP | stats last(dv_state) last(otherfields) by number

saravanan90 · ‎12-16-2020

We can use stats with last.

index=main source=xyz dv_state=* dv_opened_by=pox OR dv_opened_by=IOP | stats last(dv_state) last(otherfields) by number

SPL Query