Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Historical count of open Jobs - at point in time.

ajos32
Engager
‎09-28-2015 04:08 PM

I have a simple ticketing system.

I need to show the number of tickets open for each client at the end of each week - since 1/1/2015.

This search will show the number of jobs opened for that week

...Project="MyClient1" 
| eval DateCreated=strptime(Created,"%d/%m/%Y %H:%M")
| eval DateResolved=strptime(Resolved,"%d/%m/%Y %H:%M")
| eval JobState=if(DateResolved>DateCreated,"Calculated Closed","CalculatedAsOpen")
| where JobState="CalculatedAsOpen"
| timechart span=1week count(JobState) by JobState

but does not count jobs open from previous weeks.

The query would need to evaluate DateResolved against the current timechart time to determine if it was still open.

A similar question is posted here https://answers.splunk.com/answers/78275/timechart-accumulation-of-all-events-from-previous-times.ht...

AJ

alt text

Preview file
1 KB
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎09-28-2015 09:17 PM

Without seeing your dataset, I can recommend that you would change your query a bit..

 ... | bin span=1w _time | stats count(JobState) by Customer

This assumes that you have a value for Customer declared, and that each event has this Customer field in the data.

0 Karma
Reply

ajos32
Engager
‎09-28-2015 09:59 PM

My example search is probably misleading.

The JobState needs to be evaluated against the "point in time the TimeChart/Bin is currently in" to determine if the Job was open at that point in time.

Eg If DateResolved > CurrentDateInTimeChart then JobState=Open

This same problem is presented (and better articulated) here:
https://answers.splunk.com/answers/78275/timechart-accumulation-of-all-events-from-previous-times.ht...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...