Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Turning a field with status variables in to a new field with absolute an difference

Software-Simian
Path Finder
‎01-31-2022 08:22 AM

Hi,

i looked for an answer an some came close. But i could not get it flying.

Here is the Problem Description:

I have a field that contains the status of a ticket ("created_done").

I can easily count the number using by or doing that:

| stats count(eval(created_done="created")) as created count(eval(created_done="done")) as done by title impact

However i would like something like this:
| stats count by title impact status

status at this point should be a field holding the sum of solved tickets and the sum of open tickets:

TitleImpactStatusCount
title 1impact 1solved90
title 1impact 1open5
title 1impact 2solved45
title 1impact 2open3

 

Probably this has already been answered, i apologize in advance, but i could not get any solution working.

 

Kind regards,

Mike

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-01-2022 01:25 AM

One way to do it:

| makeresults 
| eval _raw="Title,   Impact,   Status,  Count
title 1,impact 1,solved,90
title 1,impact 1,created,95
title 1,impact 2,solved,45
title 1,impact 2,created,48"
| multikv forceheader=1
| fields - _raw, linecount
| streamstats reset_on_change=t window=1 first(Count) as preCount last(Count) as nxtCount by Title, Impact
| eval Open=nxtCount - preCount
| eval Status = if (Status=="created", "open", Status), Count = if(Status=="open", Open, Count)
| table Title, Impact, Status, Count

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution

Software-Simian
Path Finder
‎01-31-2022 11:22 PM

Hi,

actually the values come from exactly that field. so i want to get from:

TitleImpactStatusCount
title 1impact 1solved90
title 1impact 1created95
title 1impact 2solved45
title 1impact 2created48

 

to:

TitleImpactStatusCount
title 1impact 1solved90
title 1impact 1open5
title 1impact 2solved45
title 1impact 2open3
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-01-2022 01:25 AM

One way to do it:

| makeresults 
| eval _raw="Title,   Impact,   Status,  Count
title 1,impact 1,solved,90
title 1,impact 1,created,95
title 1,impact 2,solved,45
title 1,impact 2,created,48"
| multikv forceheader=1
| fields - _raw, linecount
| streamstats reset_on_change=t window=1 first(Count) as preCount last(Count) as nxtCount by Title, Impact
| eval Open=nxtCount - preCount
| eval Status = if (Status=="created", "open", Status), Count = if(Status=="open", Open, Count)
| table Title, Impact, Status, Count

r. Ismo 

Reply
Solved! Jump to solution

Software-Simian
Path Finder
‎02-01-2022 01:53 AM

Hi Iso,

thanks, it works like a charme!!

 

regards,

Mike

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2022 08:59 AM

Hi

if I understand this right, you have almost correct stats here. Just replace status -> created_done and after stats you could rename that field as status.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...