I'm very new to Splunk and searched a lot for this but i wasn't able to figure it out.
I have events like name=x, id=n, status=open
After resolving each issue, a new event is indexed like name=x, id=n, status=resolved
with same name and id (there is only 2 versions of each ID at most)
There is a table to show all of events with a filter box as all/open/resolved.
Currently I'm using this search to show events and it works fine, unless what is needed is when there is a new event for same id with status=resolved
it should not be shown under filter:open
.
I really have no idea what should i do for this kind of condition so any help would be great.
source="issue_log" status=$filter_by$ | rename id as ID, time as "Generate Time", name as Name | table "Alert", ID, "Generate Time", Status | dedup 1 ID
The answer is, no matter what the status, you can't filter on status until after you've selected the most recent (ie deduped).
That's probably not your working code, since it has capitalization issues on status/Status, and the field "Name" disappears but "Alert" comes from nowhere.
Here's a quick re-do. For demonstration purposes, I'm assuming all the original fields were lower case, and that name field is the same as Alert. Please correct the spelling and caps of field names as appropriate.
source="issue_log"
| table _time id name status
| dedup id
| search status=$filter_by$
| rename name as "Alert", id as "ID", _time as "Generate Time", status as "Status"
| table "Alert", "ID", "Generate Time", "Status"
In fact if you have a _time field, you can try like this:
source="issue_log" status=$filter_by$ | rename id as ID, time as "Generate Time", name as Name | table "Alert", ID, "Generate Time", Status | dedup ID sortby -_time
You can read more here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Dedup