Latest event filter on status- How to get the fail...

splunkuser320 · ‎05-28-2023

I have a query that is giving the latest event of the task but I want to filter the query for a status

| stats latest(status) as Status latest(time) as Time by TASK_NAME

Results:

TASK_NAME Status Time

TASK 1 Passed 2023-05-19T01:32:28

TASK 2 Failed 2023-05-19T01:35:28

TASK 3 Passed 2023-05-19T01:15:28

TASK 4 Passed 2023-05-19T05:32:28

I just wants all the failed tasks

gcusello · ‎05-28-2023

did you tried to filer events in the main search?

<base query>
| search status="failed"
| stats latest(status) as Status latest(time) as Time by TASK_NAME

if there's the possibility that a task can have more than a status in the period, you can put the filter at the end of the search

<base query>
| stats latest(status) as Status latest(time) as Time by TASK_NAME
| search status="failed"

Ciao.

Giuseppe

splunkuser320 · ‎05-29-2023

I tried this but the query is giving all the events. I want to get only the latest event.

yeahnah · ‎05-29-2023

Just remove the group by clause then...

...<your query>...
| search Status="failed"
| stats latest(*) AS *

By default, Splunk lists events with the latest first so you could even do this

...your base query... Status="failed"
| head 1

Latest event filter on status- How to get the failed tasks?