topic Re: Two stats on different period in Splunk Search

Two stats on different period

tahasefiani — Wed, 29 Jan 2020 16:10:17 GMT

Hello,
I have this query that return me the table below.

The query :

    | loadjob savedsearch="myquery"
          | where (strftime(_time, "%Y-%m-%d") >= "2019-12-09") AND (strftime(_time, "%Y-%m-%d") <= "2019-12-10")
          | stats dc(eval(if(((STEP=="Recieved",ID_MESSAGE,NULL))) AS Recieved,
                    dc(eval(if(((STEP=="answered",ID_MESSAGE,NULL))) AS answered,
                    dc(eval(if(((STEP=="deleted",ID_MESSAGE,NULL))) AS deleted by client
|fields client,Recieved,answered,deleted

Result :

The problem is , for some client like "35535" he receieved the Message 10/12 but he answered the 12/12, i want to give my client a margin of 4 days.
So,if my client recieves the message between the 09/12 and 10/12, i will check if his answered between the 09/10 and the 14/12.
the messages received and deleted must be over the period from 09/12 and 10/10, but those answered must be from 09/12 and 14/12
Thanks 🙂

Re: Two stats on different period

to4kawa — Thu, 30 Jan 2020 01:20:02 GMT

what's your expected result?

Re: Two stats on different period

morethanyell — Thu, 30 Jan 2020 01:55:04 GMT

Not an answer but just wanted to point out that this portion | where (strftime(_time, "%Y-%m-%d") >= "2019-12-09") AND (strftime(_time, "%Y-%m-%d") <= "2019-12-10") might not work as expected. It's better to make comparison operation like greater than if the time is in epoch, rather than formatted in string. maybe consider doing |where _time >= strptime("2019-12-09", "%F") AND _time <= strptime("2019-12-10", "%F")

Re: Two stats on different period

to4kawa — Thu, 30 Jan 2020 03:52:59 GMT

| makeresults 
| eval check=if(strftime(now(),"%F") < strftime(relative_time(now(),"+1d@d"),"%F"), "OK" ,"NG")

I think so ,too. but Splunk can....

Re: Two stats on different period

tahasefiani — Thu, 30 Jan 2020 08:23:27 GMT

@to4kawa my expected result is :
client : 35535
Recieved : 1
answered : 1
deleted : 0
knowing that the research period is from 09/12 to 10/12,but because my client answered between 09 and 14 I display 1 in answered

Re: Two stats on different period

to4kawa — Thu, 30 Jan 2020 08:43:33 GMT

| loadjob savedsearch="myquery" 
| stats dc(eval(if(STEP=="Recieved" AND (strftime(_time, "%Y-%m-%d") >= "2019-12-09" AND strftime(_time, "%Y-%m-%d") <= "2019-12-10"),ID_MESSAGE,NULL))) AS Recieved,
    dc(eval(if(STEP=="answered" AND (strftime(_time, "%Y-%m-%d") >= "2019-12-09" AND strftime(_time, "%Y-%m-%d") <= "2019-12-14",ID_MESSAGE,NULL))) AS answered,
    dc(eval(if(STEP=="deleted" AND (strftime(_time, "%Y-%m-%d") >= "2019-12-09" AND strftime(_time, "%Y-%m-%d") <= "2019-12-10"),ID_MESSAGE,NULL))) AS deleted by client 
| fields client,Recieved,answered,deleted

Be careful time picker.