Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculating multiple counts in one search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculating multiple counts in one search
synastraa
Path Finder
04-25-2019
07:58 PM
Hi all,
I am trying to get the results for both the stats count in the code below.
I'm getting no results when I do both counts together in the search but when I do them individually, the results shows up. Could I get some advice on this if I am doing anything wrong here. Thanks!
eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")|eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
|stats count(Incident_Number) as inflow by reported | stats count(Incident_Number) as close by resolved
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-25-2019
11:15 PM
Try this:
.... | eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")
| eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
| eval _time = coalesce(reported, resolved)
| eval Incident_Number = if(isnotnull(Incident_Number), _time, null())
| timechart count(Incident_Number) by Incident_Number
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
synastraa
Path Finder
04-26-2019
12:34 AM
Hi,
The results I'm looking for are as shown. Thanks!
_time Inflow closed (Inflow - closed) ( accumulated (inflow - closed ) )
Jan 10 | 5 | 5 | 5
Feb 10 | 5 | 5 | 10
Mar 20 | 7 | 13 | 23
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-26-2019
05:56 PM
OK, now show us the raw events that would generate this result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-25-2019
09:50 PM
Like this:
.... | eval reported=strftime(strptime(Reported_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b")
| eval resolved=strftime(strptime(Last_Resolved_Date_Time,"%Y-%m-%d%H:%M:%S.%Q"),"%b-%Y")
| multireport
[ stats count(Incident_Number) as inflow by reported ]
[ stats count(Incident_Number) as close by resolved ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
synastraa
Path Finder
04-25-2019
11:00 PM
I have tried this out and only the first stats count results was displayed.
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
