Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Turning a field with status variables in to a new field with absolute an difference

Software-Simian
Path Finder
‎01-31-2022 08:22 AM

Hi,

i looked for an answer an some came close. But i could not get it flying.

Here is the Problem Description:

I have a field that contains the status of a ticket ("created_done").

I can easily count the number using by or doing that:

| stats count(eval(created_done="created")) as created count(eval(created_done="done")) as done by title impact

However i would like something like this:
| stats count by title impact status

status at this point should be a field holding the sum of solved tickets and the sum of open tickets:

TitleImpactStatusCount
title 1impact 1solved90
title 1impact 1open5
title 1impact 2solved45
title 1impact 2open3

 

Probably this has already been answered, i apologize in advance, but i could not get any solution working.

 

Kind regards,

Mike

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-01-2022 01:25 AM

One way to do it:

| makeresults 
| eval _raw="Title,   Impact,   Status,  Count
title 1,impact 1,solved,90
title 1,impact 1,created,95
title 1,impact 2,solved,45
title 1,impact 2,created,48"
| multikv forceheader=1
| fields - _raw, linecount
| streamstats reset_on_change=t window=1 first(Count) as preCount last(Count) as nxtCount by Title, Impact
| eval Open=nxtCount - preCount
| eval Status = if (Status=="created", "open", Status), Count = if(Status=="open", Open, Count)
| table Title, Impact, Status, Count

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution

Software-Simian
Path Finder
‎01-31-2022 11:22 PM

Hi,

actually the values come from exactly that field. so i want to get from:

TitleImpactStatusCount
title 1impact 1solved90
title 1impact 1created95
title 1impact 2solved45
title 1impact 2created48

 

to:

TitleImpactStatusCount
title 1impact 1solved90
title 1impact 1open5
title 1impact 2solved45
title 1impact 2open3
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-01-2022 01:25 AM

One way to do it:

| makeresults 
| eval _raw="Title,   Impact,   Status,  Count
title 1,impact 1,solved,90
title 1,impact 1,created,95
title 1,impact 2,solved,45
title 1,impact 2,created,48"
| multikv forceheader=1
| fields - _raw, linecount
| streamstats reset_on_change=t window=1 first(Count) as preCount last(Count) as nxtCount by Title, Impact
| eval Open=nxtCount - preCount
| eval Status = if (Status=="created", "open", Status), Count = if(Status=="open", Open, Count)
| table Title, Impact, Status, Count

r. Ismo 

Reply
Solved! Jump to solution

Software-Simian
Path Finder
‎02-01-2022 01:53 AM

Hi Iso,

thanks, it works like a charme!!

 

regards,

Mike

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2022 08:59 AM

Hi

if I understand this right, you have almost correct stats here. Just replace status -> created_done and after stats you could rename that field as status.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...