https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472553#M132987 <P>Hi All,</P> <P>I'm stumped on the following search. The scenario is I'm trying to track the amount of time a support ticket is assigned to a support team and specific status, for the lifecycle of the ticket. The following |streamstats works great, assuming the ticket doesn't get assigned to the same team and status twice. (getting assigned out and back in) It currently sums the time between. Again, I only want to sum the time in a team and status, not including the time between where it goes out.</P> <P>|dedup ticket_id,_time,ticket_arvig_status<BR /> |eval temp2=id+","+ticket_status<BR /> |search (ticket_team="TIER 2" AND ticket_status="tier 2 needed"<BR /> |streamstats range(_time) AS StatusDuration by ticket_id global=f window=2<BR /> |stats sum(StatusDuration) AS TotalStatusDuration by ticket_id, ticket_status, ticket_team<BR /> |stats avg(TotalStatusDuration) as averageage by ticket_id</P> <P>Any help would be appreciated!</P> Wed, 30 Sep 2020 04:12:40 GMT mikepangrac 2020-09-30T04:12:40Z https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472553#M132987 <P>Hi All,</P> <P>I'm stumped on the following search. The scenario is I'm trying to track the amount of time a support ticket is assigned to a support team and specific status, for the lifecycle of the ticket. The following |streamstats works great, assuming the ticket doesn't get assigned to the same team and status twice. (getting assigned out and back in) It currently sums the time between. Again, I only want to sum the time in a team and status, not including the time between where it goes out.</P> <P>|dedup ticket_id,_time,ticket_arvig_status<BR /> |eval temp2=id+","+ticket_status<BR /> |search (ticket_team="TIER 2" AND ticket_status="tier 2 needed"<BR /> |streamstats range(_time) AS StatusDuration by ticket_id global=f window=2<BR /> |stats sum(StatusDuration) AS TotalStatusDuration by ticket_id, ticket_status, ticket_team<BR /> |stats avg(TotalStatusDuration) as averageage by ticket_id</P> <P>Any help would be appreciated!</P> Wed, 30 Sep 2020 04:12:40 GMT https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472553#M132987 mikepangrac 2020-09-30T04:12:40Z https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472554#M132988 <P>I'm not sure <CODE>not including the time between where it goes out.</CODE><BR /> <CODE>TotalStatusDuration</CODE> ?</P> Sat, 15 Feb 2020 00:48:39 GMT https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472554#M132988 to4kawa 2020-02-15T00:48:39Z https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472555#M132989 <P>you cant <CODE>range</CODE> _time by ticket_id because you already <CODE>dedup</CODE>ed the ticket_id ... <BR /> meaning, you have only a single event (and therefore a single _time) for each ticket_id <BR /> can you share sample data and desired results?</P> Wed, 30 Sep 2020 04:07:07 GMT https://community.splunk.com/t5/Splunk-Search/Streamstats-Time-Sum-When-Specific-Values/m-p/472555#M132989 adonio 2020-09-30T04:07:07Z