If a certain incident is in resolved/closed state I want all logs pertaining to that incident to be excluded from the search i.e. logs which also have that same incident in say Open/Assigned/WIP state. In other words, I want to create a table in Splunk with all these incidents which havent been closed/resolved.
My query:
index= xxxx source= xxxxx (state!="Closed*" AND state!="Resolved")
|dedup number
|table number Timestamps priority "Age(in Days)" text Status
the problem with this query is that if an incident(number field) has been resolved, splunk will simply exclude that log and instead take up the last recent log for that incident and show it as "Assigned" or "WIP" state which is incorrect.
Hoping for an accurate solution. Have been stuck up with this for days 😠
... View more