Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[Service Now Logs] How to hide from the search Events with the same number whose final state is "Closed"

JLC
Observer
‎02-12-2021 05:27 AM

Hi Splunkers!

First time posting here, but I could really need some help. I've been meddling with Splunk for a while, and I got the gist of it. However, I've been having a bad time with this particular search condition. If you're familiar with Service Now, it creates event logs for every state change or update a ticket receives, so you have more than one log per INC (field name -> "number"). The following search allows me to see the latest "ticket" regardless of its dv_state. However, I want to "hide" the ones that are "Closed" or "Resolved". (Note: I've redacted some of the values as I consider them to be sensitive information). It's worth mentioning that the field "active" could be useful (values= "true" or "false"), but even if I put active="true", it will also show the dv_state in which this field was true (even though the latest state is "Closed").

splunk_server_group=oi source="[redacted]" sourcetype="snow:incident" number="*" short_description="[redacted]*" dv_state="*" AND dv_opened_by= "Oscar Pavon" OR "Helena Taribo" OR "Ronald Guevara" OR "Andres Penagos" OR "Matias Alcorta" OR "Agustin Gonzalez" OR "Abigail Soto" OR "Matias Alcorta" OR "Luis Huenuman"AND sys_created_by NOT "rsa.archer" NOT "Support"
| table number severity opened_at sys_updated_on dv_state dv_opened_by short_description dv_assignment_group
| sort -opened_at
| dedup number
| rename number as "INC Number", severity as "Severity", opened_at as "First Opened", sys_updated_on as "Latest Update", dv_opened_by as "Opened by", dv_assignment_group as "Assingment Group", dv_state as "Status", short_description as "Short Description"

INC NumberSeverityFirst OpenedLatest UpdateStatusOpened ByShort DescriptionAssignment Group
INC107559632021-02-11 19:34:482021-02-11 19:56:17NewAgustin Gonzalez[redacted][redacted]
NC107143332021-02-08 14:52:552021-02-08 16:36:53ResolvedAbigail Soto[redacted][redacted]
........................

 

Thanks!!

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-12-2021 07:36 AM

Hi @JLC,

I couldn't get what you mean by hide not exclude, we can only hide results by filtering them. Maybe you mean in order no to filter at the beginning. Please try below, I filtered Resolved and Closed after stats.

You can save this search as a dashboard panel.

splunk_server_group=oi source="[redacted]" sourcetype="snow:incident" number="*" short_description="[redacted]*" dv_state="*" AND dv_opened_by= "Oscar Pavon" OR "Helena Taribo" OR "Ronald Guevara" OR "Andres Penagos" OR "Matias Alcorta" OR "Agustin Gonzalez" OR "Abigail Soto" OR "Matias Alcorta" OR "Luis Huenuman"AND sys_created_by NOT "rsa.archer" NOT "Support" 
| stats  latest(severity) latest(opened_at) latest(sys_updated_on) latest(dv_state) latest(dv_opened_by) latest(short_description) latest(dv_assignment_group) by number
| rename latest(*) as *
| search NOT dv_state IN ("Closed","Resolved")
| rename number as "INC Number", severity as "Severity", opened_at as "First Opened", sys_updated_on as "Latest Update", dv_opened_by as "Opened by", dv_assignment_group as "Assingment Group", dv_state as "Status", short_description as "Short Description"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-12-2021 06:19 AM

Hi @JLC,

Please try below, stats is more efficient;

splunk_server_group=oi source="[redacted]" sourcetype="snow:incident" number="*" short_description="[redacted]*" dv_state="*" AND dv_opened_by= "Oscar Pavon" OR "Helena Taribo" OR "Ronald Guevara" OR "Andres Penagos" OR "Matias Alcorta" OR "Agustin Gonzalez" OR "Abigail Soto" OR "Matias Alcorta" OR "Luis Huenuman"AND sys_created_by NOT "rsa.archer" NOT "Support" 
| stats  latest(severity) latest(opened_at) latest(sys_updated_on) latest(dv_state) latest(dv_opened_by) latest(short_description) latest(dv_assignment_group) by number
| rename latest(*) as *
| rename number as "INC Number", severity as "Severity", opened_at as "First Opened", sys_updated_on as "Latest Update", dv_opened_by as "Opened by", dv_assignment_group as "Assingment Group", dv_state as "Status", short_description as "Short Description"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

JLC
Observer
‎02-12-2021 06:50 AM

Hi @scelikok ! I run this and yeah, it shows the latest (what I needed); however, I want to "hide" from the results any dv_state that is not "New" or "In Progress". Note that when I say "hide", is not excluding it from the search but rather make them "invisible".

View on my dashboard:

INC NumberSeverityFirst OpenedLatest UpdateStatusOpened ByShort DescriptionAssignment Group
INC107559632021-02-11 19:34:482021-02-11 19:56:17NewAgustin Gonzalez[redacted][redacted]
INC107143332021-02-08 14:52:552021-02-08 16:36:53ResolvedAbigail Soto[redacted][redacted]
INC107559632021-02-11 19:34:482021-02-11 19:56:17NewAgustin Gonzalez[redacted][redacted]
........................

 

What I need:

INC NumberSeverityFirst OpenedLatest UpdateStatusOpened ByShort DescriptionAssignment Group
INC107559632021-02-11 19:34:482021-02-11 19:56:17NewAgustin Gonzalez[redacted][redacted]
INC107559632021-02-11 19:34:482021-02-11 19:56:17NewAgustin Gonzalez[redacted][redacted]
........................

 

I forgot to mention that the final results are to be displayed on a dashboard.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-12-2021 06:12 AM

Given that dedup take the first occurrence of each value of the field, perhaps it would be better to reverse sort by last updated time as well, before the dedup

splunk_server_group=oi source="[redacted]" sourcetype="snow:incident" number="*" short_description="[redacted]*" dv_state="*" AND dv_opened_by= "Oscar Pavon" OR "Helena Taribo" OR "Ronald Guevara" OR "Andres Penagos" OR "Matias Alcorta" OR "Agustin Gonzalez" OR "Abigail Soto" OR "Matias Alcorta" OR "Luis Huenuman"AND sys_created_by NOT "rsa.archer" NOT "Support"
| table number severity opened_at sys_updated_on dv_state dv_opened_by short_description dv_assignment_group
| sort -opened_at, -sys_updated_on
| dedup number
| where dv_status != "Closed" AND dv_status != "Resolved"
| rename number as "INC Number", severity as "Severity", opened_at as "First Opened", sys_updated_on as "Latest Update", dv_opened_by as "Opened by", dv_assignment_group as "Assingment Group", dv_state as "Status", short_description as "Short Description"

 

0 Karma
Reply

JLC
Observer
‎02-12-2021 06:44 AM

Hi @ITWhisperer , I tried running the search with these parameters but it didn't show any results.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-12-2021 07:42 AM

Sorry, typo on my part

| where dv_state != "Closed" AND dv_state != "Resolved"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...