Search for a value in a set of results, then indic...

Splunk Search

I have a somewhat complicated search whose results I present in a dashboard, and looks a bit like this:

[
    search 
(
    _raw IN (<video title>)
)
 AND event_name=process.start | fields video_id
 ] 
 (event_name=processor.*) | eval mytime=strftime(_time, "%Y/%m/%d %H:%M:%S") | stats latest(event_name) as Event latest(video_title) as Title latest(mytime) as "Message time" latest(status_short_text) as "Message text" by video_filename

This searches for a message indicating that processing of a particular video title has started. Then passes video_id to a new search, which returns the latest status message for each video_filename found for that video ID.

The system returns a "Processing complete" message indicating that a particular file has finished processing, but this is not necessarily the last message returned. I would like to create a field that indicates whether a "Processing complete" message has been received for each video_filename.

Get Updates on the Splunk Community!

Search for a value in a set of results, then indicate in a new field if the value was found

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Search for a value in a set of results, then indicate in a new field if the value was found

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem