×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
saeidbsn
New Member
Member since: ‎11-08-2016
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-08-2016
Activity Feed
View All

Is it possible to emit old events from a lookup ta...

by in Splunk Search
‎11-08-2016 05:43 AM
‎11-08-2016 05:43 AM
I'm very new to Splunk and searched a lot for this but i wasn't able to figure it out. I have events like name=x, id=n, status=open After resolving each issue, a new event is indexed like name=x, id=n, status=resolved with same name and id (there is only 2 versions of each ID at most) There is a table to show all of events with a filter box as all/open/resolved. Currently I'm using this search to show events and it works fine, unless what is needed is when there is a new event for same id with status=resolved it should not be shown under filter:open . I really have no idea what should i do for this kind of condition so any help would be great. source="issue_log" status=$filter_by$ | rename id as ID, time as "Generate Time", name as Name | table "Alert", ID, "Generate Time", Status | dedup 1 ID ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM