Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats command with latest values listing

jerinvarghese
Communicator
‎11-14-2024 01:57 AM

Hi Team,

 

I have a splunk query that am testing for Service Now data extract.

 

index=snow "INC783"
| search dv_state="In Progress" OR dv_state="New" OR dv_state="On Hold"
| stats max(_time) as Time latest(dv_state) as State by number, dv_priority
| fieldformat Time=strftime(Time,"%Y-%m-%d %H:%M:%S")
| table number,Time, dv_priority, State

 

 

The challenge with the code is, above output is listing all the states for the particular Incidnet, even when i tried to filter for only the latest and max time.

numberTimedv_priorityState
INC7832024-11-13 16:56:141 - CriticalIn Progress
INC7832024-11-13 17:00:033 - ModerateOn Hold

 

The data must only show the latest one, which must be the one with "On Hold".
Tried multiple method, but failing and showing all.
how can i achieve it.

 

thanks

Jerin V

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2024 02:21 AM

Your by clause also include dv_priority which is why you are getting multiple results for an incident. Try something like this

index=snow "INC783"
| search dv_state="In Progress" OR dv_state="New" OR dv_state="On Hold"
| stats max(_time) as Time latest(dv_state) as State latest(dv_priority) as Priority by number
| fieldformat Time=strftime(Time,"%Y-%m-%d %H:%M:%S")
| table number,Time, Priority, State

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2024 02:21 AM

Your by clause also include dv_priority which is why you are getting multiple results for an incident. Try something like this

index=snow "INC783"
| search dv_state="In Progress" OR dv_state="New" OR dv_state="On Hold"
| stats max(_time) as Time latest(dv_state) as State latest(dv_priority) as Priority by number
| fieldformat Time=strftime(Time,"%Y-%m-%d %H:%M:%S")
| table number,Time, Priority, State
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...