In the stats command below, i try to retrieve the _time values (which is the Splunk timestamp) corresponding to the "Resolver group" column
I succeed to do this replacing the "by ticket_id" clause by an "assignment_group_name" clause but I need to keel my "by ticket_id" clause
| stats values(assignment_group_name) as "Resolver group", dc(assignment_group_name) as "Number of assignment group" by ticket_id
I tried something like this, but I have just one timestamp
| stats latest(_time) as _time, values(assignment_group_name) as "Resolver group", dc(assignment_group_name) as "Number of assignment group" by ticket_id
Could you help please?
I am not entirely sure what you are trying to achieve - perhaps some sample data and an example of what you are hoping to see would help. Having said that, have you tried having more than one dimension to the by clause e.g.
| stats latest(_time) as _time by ticket_id assignment_group_name
Actually, I have 3 columns
"Ticket Number" "Resolver group" "Count"
AAAAAAAAAAA 123 3
As you can see, a ticket number can have different resolver group
In front of each Resolver group I would like to have the timestamp of the event because if there is for example 3 resolver group it means that 3 events exists
Can the same resolver group appear in your events for the same ticket number? If so, which time do you want to keep, or do you want all the events (with time and associated resolver group)?