Calculating multiple counts in one search

synastraa · ‎04-25-2019

Hi all,

I am trying to get the results for both the stats count in the code below.

I'm getting no results when I do both counts together in the search but when I do them individually, the results shows up. Could I get some advice on this if I am doing anything wrong here. Thanks!

eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")|eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
|stats count(Incident_Number) as inflow by reported | stats count(Incident_Number) as close by resolved

woodcock · ‎04-25-2019

Try this:

.... | eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")
| eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
| eval _time = coalesce(reported, resolved)
| eval Incident_Number = if(isnotnull(Incident_Number), _time, null())
| timechart count(Incident_Number) by Incident_Number

synastraa · ‎04-26-2019

Hi,

The results I'm looking for are as shown. Thanks!

_time Inflow closed (Inflow - closed) ( accumulated (inflow - closed ) )
Jan 10 | 5 | 5 | 5
Feb 10 | 5 | 5 | 10
Mar 20 | 7 | 13 | 23

woodcock · ‎04-26-2019

OK, now show us the raw events that would generate this result.

woodcock · ‎04-25-2019

Like this:

.... | eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")
| eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
| multireport
[ stats count(Incident_Number) as inflow by reported ]
[ stats count(Incident_Number) as close by resolved ]

synastraa · ‎04-25-2019

I have tried this out and only the first stats count results was displayed.

Calculating multiple counts in one search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!