Solved: How to use last() and first() commands in splunk?

ramesh12345 · ‎03-04-2019

Hi,

index="os" sourcetype="Service" CaseNumber=* status=* assignment_group=* |dedup _time,CaseNumber,assignment_group |streamstats current=f last(assignment_group) as lg, last(active) as Active,first(assigned_to) as fs,last(assigned_to) as ls by CaseNumber|lookup Team.csv test as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment_group!=lg AND assignment_group="Support L1",1,NULL) |eval is_resolved=if(assignment_group="Support L1" AND status="Complete" AND (isnull(Active) OR Active="true") AND fs=ls,1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName

The above query display the person wise resolved and escalated count.The persons names we are reading from Team.csv file.
1)Now i want to display count of only one person resolved entire case(from first to last means first(assigned_to)=last(assigned_to).
2)Now i want to display persons who is involved in that case while resolving partcular case.
EX:Case No :1111,assigned_to: ramesh,raju,ramu.
So three members worked for this case.so this case should comes under all three.
3)Two steps same for Escalated cases as well.

How to do this?

woodcock · ‎03-05-2019

You need to add values(assigned_to) as all in there, too.

View solution in original post

woodcock · ‎03-05-2019

You need to add values(assigned_to) as all in there, too.

How to use last() and first() commands in splunk?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!