I am having hard times to query the Splunk.
The data in splunk is a list of tickets and their updates over time i.e:
TIMESTAMP,TICKET_1,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(pending),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(on hold),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(closed),ASSIGNED_TO,...
I am looking for a way to find 50 Oldest tickets that are NOT closed.
How should i query the splunk knowing i have 5 years old database of tickets?
... View more