Solved: DB Query dumps a table. How do I search only on t...

ocallender · ‎02-11-2014

Hi folks,
This might be elementary, but here goes:

I have a Database input that grabs all open tickets from our helpdesk system. This runs every 5 minutes. So I end up with a nice index of table snapshots and I can create nice timecharts with span=5m showing how metrics change (every 5 minutes).

But what if I wanted to visualise a pie chart showing currently open vs on-hold tickets? All of that data would come from the last data dump that was done. The quick and dirty solution i found was to set the tme reange as 5 minute window. That way, the chart updates each time a data dump is done and ignores the data from teh last dump because it happened more than 5 minutes ago.

I guess this works, but if I change the pooling interval to 10 minutes, I'd have to change the time window to match the polling rate in all of my dashboards. I can't help thinking that there is a better way.

Regards,
Okolo

araitz · ‎02-11-2014

This should give you the latest status value for tickets:

index=your_index status="open" OR status="on_hold" | stats latest(status) as status by ticket_number | ...

View solution in original post

araitz · ‎02-11-2014

This should give you the latest status value for tickets:

index=your_index status="open" OR status="on_hold" | stats latest(status) as status by ticket_number | ...

DB Query dumps a table. How do I search only on the most recent table snapshot?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?