How do I get latest events for the below search
i.e count should get the latest RegistrationState and SessionState if i search for last 15mins or 60mins. Always should get latest events to count. So I can get latest count of Available and Unregistered.
index=xx InMaintenanceMode=False |dedup MachineName,RegistrationState | eval avail=if(SessionState=="","t","f")|eval unreg=if(RegistrationState=="Unregistered","t","f") | stats count(eval(avail="t")) AS Available, count(eval(unreg="t")) AS Unregistered by SiteName,DesktopGroupName
Hi kris99,
you can use last()
in your stats http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/CommonStatsFunctions
something like this should do the job:
index=xx InMaintenanceMode=False
| dedup MachineName,RegistrationState
| eval avail=if(SessionState=="","t","f")
| eval unreg=if(RegistrationState=="Unregistered","t","f")
| stats count, last(eval(avail="t")) AS Available, last(eval(unreg="t")) AS Unregistered by SiteName,DesktopGroupName
hope this helps ...
cheers, MuS
Hi kris99,
you can use last()
in your stats http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/CommonStatsFunctions
something like this should do the job:
index=xx InMaintenanceMode=False
| dedup MachineName,RegistrationState
| eval avail=if(SessionState=="","t","f")
| eval unreg=if(RegistrationState=="Unregistered","t","f")
| stats count, last(eval(avail="t")) AS Available, last(eval(unreg="t")) AS Unregistered by SiteName,DesktopGroupName
hope this helps ...
cheers, MuS
doesn't work..
its adding new count column and returning Available and Unregistered as 1 only
okay maybe I misunderstand your question, but did you try to add head
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Head to your search? This will return only the latest events of your base search. Maybe this is what you are after?
well, last()
will get you the latest events, like you asked. Maybe you have to rephrase your question and provide some more details, like event sample and expected result....