sourcetype="my_sourcetype" ("Build Failed" NOT "Build Succeeded") earliest=@d+2h | rename host as "Imaging Server" | table "Imaging Server", _time | sort - count | sort -_time
This shows me what servers have not imaged correctly each night. I then want to have the last successful build from the failures. Any recommendations?
@rlseafor - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
I don't have your example data but maybe try something like the following assuming you have the buildstate extracted into a field.
... | stats max(_time) as latestSeen by host, buildstate | xyseries host buildstate latestSeen | rename latestSeen:* as *
You could then sort on the time. maybe do some math on the gap between the time values in the buildstate columns at the end.