Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create a evaluation in each end of month based in one field that is not _time field

nsanchezfernand
Path Finder
‎05-23-2017 12:20 AM

Hi.

I am indexing data from a ticketing tool. I need to see what tickets were opened at end of each month. I've done a initial charge of the database, because of this, I can't use the _time indexed, otherwise I have to use open_date and close_date. Basically, the logic that I need to apply is:

Make a count of all tickets that were opened before end of month and were closed after the end of that month. I need show like timechart with this info by month.

Any idea about the way to get this info? Maybe could be useful the gentimes command?

Thanks.

0 Karma
Reply

niketn
Legend
‎05-23-2017 02:02 AM

[Updated Answer]
Since you need last day of Current month for your evaluation purpose you can make use of the following eval expression to come up with the same | eval current_month_last_day=relative_time(now(),"+1mon@mon-1d").

Following is the run anywhere query which you can use to test dates like 05/30 and 05/31 for open_date for the current month:

 | makeresults
 | eval open_date=strptime("2017/05/31 13:55:00","%Y/%m/%d")
 | eval close_date=strptime("2017/06/03 10:23:00","%Y/%m/%d")
 | eval current_month_last_day=relative_time(now(),"+1mon@mon-1d")
 | where close_date>current_month_last_day AND open_date=current_month_last_day
 | fieldformat open_date=strftime(open_date,"%Y/%m/%d")
 | fieldformat close_date=strftime(close_date,"%Y/%m/%d")
 | fieldformat current_month_last_day=strftime(current_month_last_day,"%Y/%m/%d")

What is your criteria for End Of the month?

Following is a run anywhere search which takes open_date>25 as End of the Month and find records where close_month changes.
PS: makeresults and First two evals for open_date and close_date are to mock the data.

| makeresults
| eval open_date=strptime("2017/01/26 13:55:00","%Y/%m/%d %H:%M:%S")
| eval close_date=strptime("2017/02/03 10:23:00","%Y/%m/%d %H:%M:%S")
| eval open_month=strftime(open_date,"%m")
| eval open_day=strftime(open_date,"%d")
| eval close_month=strftime(close_date,"%m")
| where close_month>open_month AND open_day>"25"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

nsanchezfernand
Path Finder
‎05-23-2017 04:31 AM

Hi, niketnilay.

Thanks for the response. My end of month criteria is last day of each month... It's dependent of the month. My problem is that I have to compare a date that does not exist in any field (31th january, 28th february, 30th march....) with the fields open_date and close_date, and then put in a chart how many tickets were open in each end of month.

I've tried what you purposed to me and it does not work for my requisite, however, thanks!

Thanks.

0 Karma
Reply

aorkcreate
New Member
‎08-08-2018 12:16 PM

I've needed the same output ,did you achieve that ,can you tell me how is it possible ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...