Hello,
i have a data from ticketing system where events looks (more or less for the simplicity) like this:
date, ticketNumber, status, group
and for every change in the ticket a new Splunk event is generated, eg:
24.02.2017 09:50,0001,Assigned,G1
24.02.2017 10:00,0001,In progress,G1
24.02.2017 11:00,0001,Closed,G6
24.02.2017 11:30,0002,In Progress,G2
24.02.2017 11:45,0003,Pending,G3
24.02.2017 12:00,0003,Resolved,G3
Now i want to know which tickets are open (status assigned, pending or in progress) for my groups (G1-G5)
What i'm expecting to get is:
0002,In Progress,G2
But my search:
index=tickets group="G1" OR group="G2" OR group="G3" OR group="G4" OR group="G5" | dedup ticketNumber | search status="Assigned" OR status="Pending" OR status="In Progress"
does not see the closures of ticket done by other groups and i am getting:
0001,In progress,G1
0002,In Progress,G2
How should i modify the search to meet my expectations?
I need somehow to filter the tickets before any calculation as there are lot of tickets and many groups. And also the groups which are closing tickets belonging to our groups are not defined, so it could be G6-GXX.
... View more