Re: How to store value in variable?

KimanO · ‎03-15-2023

Hi,

Let's say that I have a database with a table like this :

I would like to know if it is possible to acces and store the "New" and "Closed" status in some variables in order to draw a chart based on how much new items were created and how much were closed in the same time ?

Thank you for your help,
Oulebsir Kiman

KimanO · ‎03-16-2023

Thank you for your answer,

But how can I reach them without filtering the hole dashboard ?

This is the kinf of charts I want to do :

"New" and "Closed" are two fields I can found in the "Status" variable but I want to access to each of them without making a filter.

PickleRick · ‎03-15-2023

Whenever someone starts talking about variables it usually means that that person comes from a non-splunk paradigm and tries to do something in splunk in a non-splunky way.

So instead of writing what you're trying to _do_, tell us what you're trying to achieve (what data you have) and what your expected output is.

That's provided you're talking about search. If you're talking about dashboards (and you've posted in the dashboards and visualizations section), there is a possibility to store some values in a token which can be read by another dashboard component.

So please be more specific about what is your problem.

KimanO · ‎03-16-2023

It is true that I come from a non-splunk paradigm.

The point is to be able to draw two lines :

One for the evolution of how much "New" items I have created in a given period
One for the evolution of how much "Closed" items I have closed in the same time

Check the exemple below :

"New" and "Closed" are two fields I can found in the "Status" variable but I want to access to each of them without making a filter.

PickleRick · ‎03-16-2023

This looks like a case of simple statsing or timecharting over some field.

For example (I don't know your data so that's just an idea of a search, not actual copy-paste solution)

<your search> | timechart span=1d count by status

KimanO · ‎03-16-2023

Thank you for your proposal,

Is it possible to only select 2 fiels out of 3 when I do a

count by status

?

I only want to get the new and closed one, not the implemented

PickleRick · ‎03-16-2023

Of course. You can do that in several different ways 🙂

For example

1. Filter results of your aggregation by adding

|  search status IN (new,closed)

2. (better, but sometimes inapplicable if you want to calculate some parameters based on all events) Filter the initial data which you summarize by

<your initial search> status IN (new,closed) | stats count by status

KimanO · ‎03-16-2023

Thank you ! It is getting there slowly but it is 😁

I might have not explained it well and I am sorry about that, I would like to draw 2 lines, one for "New" status and one "Closed" status.

By doing it the way you told me to, I have one line but without "In progress", wich is already good !

The goal here is to compare how fast the "New" line growth with the "Closed" one. That is why I would like to store these 2 values in some variables to be able to display them separatly.

Thank you for your help !! Really appreciate

richgalloway · ‎03-15-2023

Once onboarded from the database, "New", "Closed" and "In progress" will be stored in the field ("variable") called 'Status'.

---
If this reply helps you, Karma would be appreciated.

How to store value in variable?

chart

table

timechart

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?