Splunk Search

Is it possible to emit old events from a lookup table when newer events with same id exists?

saeidbsn
New Member

I'm very new to Splunk and searched a lot for this but i wasn't able to figure it out.

I have events like name=x, id=n, status=open

After resolving each issue, a new event is indexed like name=x, id=n, status=resolved with same name and id (there is only 2 versions of each ID at most)

There is a table to show all of events with a filter box as all/open/resolved.

Currently I'm using this search to show events and it works fine, unless what is needed is when there is a new event for same id with status=resolved it should not be shown under filter:open.

I really have no idea what should i do for this kind of condition so any help would be great.

source="issue_log" status=$filter_by$ | rename id as ID, time as "Generate Time", name as Name | table "Alert", ID, "Generate Time", Status | dedup 1 ID
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The answer is, no matter what the status, you can't filter on status until after you've selected the most recent (ie deduped).

That's probably not your working code, since it has capitalization issues on status/Status, and the field "Name" disappears but "Alert" comes from nowhere.

Here's a quick re-do. For demonstration purposes, I'm assuming all the original fields were lower case, and that name field is the same as Alert. Please correct the spelling and caps of field names as appropriate.

 source="issue_log" 
| table _time  id name status 
| dedup id
| search status=$filter_by$ 
| rename name as "Alert",  id as "ID", _time as "Generate Time", status as "Status"
| table "Alert", "ID", "Generate Time", "Status" 
0 Karma

C_HIEN
Path Finder

In fact if you have a _time field, you can try like this:

source="issue_log" status=$filter_by$ | rename id as ID, time as "Generate Time", name as Name | table "Alert", ID, "Generate Time", Status | dedup ID sortby -_time

You can read more here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Dedup

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...