I am having hard times to query the Splunk.
The data in splunk is a list of tickets and their updates over time i.e:
TIMESTAMP,TICKET_1,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(open),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(pending),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(on hold),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_1,STATE(in progress),ASSIGNED_TO,...
TIMESTAMP,TICKET_2,STATE(closed),ASSIGNED_TO,...
I am looking for a way to find 50 Oldest tickets that are NOT closed.
How should i query the splunk knowing i have 5 years old database of tickets?
Try out this query:-
Index=indexName sourcetype=sourcetypeName |search STATE != "closed"|sort _time|head 50
Search for AllTime as your data is pretty old, this may take sometime.