Splunk Search

How do you make a date and time comparison in field values based on a condition?

vikas_baranwal
Path Finder

Hello everyone,

I need your help in date\time comparison in table field itself.

Lets suppose, any key value goes into status as "In QA" after completing Status as "In Dev" with some date\time and then again due to some issues which will be identified later on, same key value status changed again into 'In QA" Status.

I am looking for the date\time when Status changed into "In Dev" for the second time.

I have attached a screenshot on the below URL.

https://ibb.co/BPnrqXL

Thank you all for any help in advance!

Tags (2)
0 Karma

vikas_baranwal
Path Finder

Hi Everyone, Please advise on this request.

Thank you!

0 Karma

vikas_baranwal
Path Finder

Hello Everyone,

Please help me with the solution. If explanation is not much clear then I can try more.

Thanks

0 Karma

joshualarkins
Explorer

Are you just trying to find all tickets where it's not their first time being "In Dev"? If so, I think you could use a combination of

| stats EARLIEST(update_final) AS earliest_update_final, LATEST(update_final) AS latest_update_final BY key
| search earliest_update_final != latest_update_final

0 Karma

vikas_baranwal
Path Finder

Hi,
I am looking for the date\time when any key value status changed 2nd time in "In Dev" status which is "11-07-2018 09:09:56" in the screenshot.

It is required to show metric as how many keys was failed when then crossed "In Dev" status and when status was changed from "In Dev" to 'In QA" and done testing again and it got failed. Now again status moved to "In Dev " status from "In QA" status.

Thank you for your help on this.

0 Karma

harishalipaka
Motivator

hi @vikas_baranwal

am not clear what do you want.can you explain properly.

try like this |where key="CORE-36256" and status="In Dev" |stats latest(update_final) as second_time

Thanks
Harish
0 Karma

vikas_baranwal
Path Finder

Hi Hari,

In screenshot, If you can which I have highlighted in yellow and red.

https://ibb.co/rdvQXvy

Normally process is for any key value status change is

"Ready for Dev" ---> "In Dev" ---> "In QA' ---> Done

But when any issue find out in "In QA" status then again key status roll-back into "In Dev" and complete cycle again.

Ready for Dev ---> In Dev ---> In QA ---> Ready for Dev ---> In Dev ---> In QA ---> Done

I am here looking for date\time when status changes into "In Dev" status 2nd time.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...