Re: Calculating multiple counts in one search

synastraa · ‎04-25-2019

Hi all,

I am trying to get the results for both the stats count in the code below.

I'm getting no results when I do both counts together in the search but when I do them individually, the results shows up. Could I get some advice on this if I am doing anything wrong here. Thanks!

eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")|eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
|stats count(Incident_Number) as inflow by reported | stats count(Incident_Number) as close by resolved

woodcock · ‎04-25-2019

Try this:

.... | eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")
| eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
| eval _time = coalesce(reported, resolved)
| eval Incident_Number = if(isnotnull(Incident_Number), _time, null())
| timechart count(Incident_Number) by Incident_Number

synastraa · ‎04-26-2019

Hi,

The results I'm looking for are as shown. Thanks!

_time Inflow closed (Inflow - closed) ( accumulated (inflow - closed ) )
Jan 10 | 5 | 5 | 5
Feb 10 | 5 | 5 | 10
Mar 20 | 7 | 13 | 23

woodcock · ‎04-26-2019

OK, now show us the raw events that would generate this result.

woodcock · ‎04-25-2019

Like this:

.... | eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")
| eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
| multireport
[ stats count(Incident_Number) as inflow by reported ]
[ stats count(Incident_Number) as close by resolved ]

synastraa · ‎04-25-2019

I have tried this out and only the first stats count results was displayed.

Calculating multiple counts in one search

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability