Re: How can I retrieve data for between dates?

udaypulipaka · ‎02-13-2019

Hi,

I have a field called "Created_date". My requirement is to get a monthly count of created and closed tickets. How do I find a created count for a particular month?

 index="os" sourcetype="Service" (Group="Conn" OR Group="Data") AND (Section="Local" OR Section="health") AND (Component="connectivity" OR Component="health")|dedup CaseNumber,Created_ON|eval closed=if(status="Complete",1,NULL)|stats count(Created_date) AS Created count(closed) AS Closed

If i run with a 24 hours range, then it is showing the previous months. "Created_date" data aslo. I need to show 6 months data monthly, how many were created and closed on that particular month.

Please help me figure out how to do this!

nickhills · ‎02-13-2019

One thing you can do which is pretty nifty is to eval _time to match your created date.
You need to make sure that its in epoch format first, but if you added something like:
|eval Created_date=strptime(Created_date, "%Y-%m-%d %H:%S")|eval _time=Created_date, you can then use timechart to render them based on when they were opened

just a note: is the field "Created_date" or "Created_ON" - your example uses both - I presume only one is correct!?

index="os" sourcetype="Service" (Group="Conn" OR Group="Data") AND (Section="Local" OR Section="health") AND (Component="connectivity" OR Component="health")|dedup CaseNumber,Created_date|eval closed=if(status="Complete",1,NULL)|eval Created_date=strptime(Created_date, "%Y-%m-%d %H:%S")|eval _time=Created_date|timechart count by closed

If my comment helps, please give it a thumbs up!

How can I retrieve data for between dates?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...