Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query to find latest state of incident(ticket) of SNOW

AbdulMateen
Observer
‎01-11-2022 09:09 AM

Requirement- i am trying to create a report based on State of Incident( ticket).  looking for latest State of ticket
below is the my search query.  if time range is selected more then "Today". results showing the previous Ticket State as well.  ex Tkt123 current State is Resolved , prior to  resolved State it was "IN PROGRESS".  expected result should show current State of Tkt123 .

In below query i am looking for "IN PROGRESS" ticket State in Q_name=IT . but it is showing Tkt123 as well.  when checked Tkt123  in SNOW tool it is resolved status

index=SNOW source=SNOW_source Q_name=IT
|stats latest(State) AS State BY Number Last_Updated
| stats dc(Number) AS Total
|search State="IN PROGRESS"
|appendpipe [stats count| eval Total="NODATA" |where count==0|table Total]

@ITWhisperer 

Labels (1)
Labels
0 Karma
Reply

SanjayReddy
Builder
‎01-11-2022 08:12 PM

Hi @AbdulMateen 

in your logs if date field presents , you can also run 

| stats max(date) 

it will show latest event for the ticket 

0 Karma
Reply

johnhua
Builder
‎01-11-2022 09:45 AM

If the most current result represents the most current state, you can simply dedup your data by ticket_id. 

Assuming "Number" is the ticket_id, you can try:

index=SNOW source=SNOW_source Q_name=IT
| dedup Number

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!