https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248022#M189172 <P>The original data is in CSV or it's ingested in Splunk? If it's ingested, which column _time field is based on?</P> Tue, 15 Mar 2016 14:53:46 GMT somesoni2 2016-03-15T14:53:46Z https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248021#M189171 <P>Hello, </P> <P>I have ticket data like below </P> <P>ID Open_date Close_date<BR /> 1 01/01/2016 02/01/2016<BR /> 2 01/01/2016 01/01/2016<BR /> 3 02/01/2016 03/01/2016<BR /> 4 02/01/2016 03/01/2016<BR /> 5 02/01/2016 03/01/2016<BR /> 6 03/01/2016 04/01/2016</P> <P>I want to populate the data on the basis of timeline. </P> <P>If I choose Jan Month in timeline The open date and closed date should have compared with timeline and counts should be visible </P> <P>Like for Jan Selection <BR /> Date Open Count Closed Count <BR /> 1-Jan-16 2 1 <BR /> 2-Jan-16 3 1 <BR /> 3-Jan-16 1 3 <BR /> 4-Jan-16 0 1 </P> <P>Is it any way to do this I am literally searching all options. I have data model however any other approach is also welcomed. </P> <P>Thanks <BR /> Praveen</P> Tue, 29 Sep 2020 09:06:15 GMT https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248021#M189171 praveenkpatidar 2020-09-29T09:06:15Z https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248022#M189172 <P>The original data is in CSV or it's ingested in Splunk? If it's ingested, which column _time field is based on?</P> Tue, 15 Mar 2016 14:53:46 GMT https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248022#M189172 somesoni2 2016-03-15T14:53:46Z https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248023#M189173 <P>Thanks somesoni2<BR /> Sorry, I missed that to mention. </P> <P>So _time is created date. So I guess the Open Count is now resolved. In the same way I have to do Closed Count.<BR /> All data is ingested in Splunk. </P> Tue, 15 Mar 2016 23:21:26 GMT https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248023#M189173 praveenkpatidar 2016-03-15T23:21:26Z https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248024#M189174 <P>Some more progress on this. </P> <P>Below both searches giving me results what I want. The only issue is joining the result into one result. <BR /> It should join all entities. </P> <P>Closed Trend<BR /> index="idx" host=Incidents | eval _time = strptime ( resolved_at, "%d/%m/%Y %H:%M:%S") | chart count(number) as closed by _time bins=100</P> <P>Open Trend<BR /> index="idx" host=Incidents | eval _time = strptime ( sys_created_on, "%d/%m/%Y %H:%M:%S") | chart count(number) as open by _time bins=100</P> Tue, 29 Sep 2020 09:06:56 GMT https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248024#M189174 praveenkpatidar 2020-09-29T09:06:56Z https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248025#M189175 <P>The key to your success would be the <CODE>streamstats</CODE> command. I am not sure if it is the most pretty or effective solution, but it gives you the wanted results:</P> <PRE><CODE> your_base_search | streamstats count as opencount by Open_date | streamstats count as closecount by Close_date | timechart span=1d max(opencount) as "Tickets opened", max(closecount) as "Tickets Closed" </CODE></PRE> <P>Your data needs to have the event timestamp as the creation day for this search to work, maybe you need to tune this a bit by adding an <CODE>eval _time= ....</CODE> to your search to achieve this.</P> Wed, 16 Mar 2016 08:59:46 GMT https://community.splunk.com/t5/Splunk-Search/compare-the-custom-dates-with-the-time/m-p/248025#M189175 DMohn 2016-03-16T08:59:46Z