Splunk Search

How do you add a row to a table that contains text and an eval value?

dojiepreji
Path Finder

I am creating a table that tallies each type of request per day. Table is as follows.

  Day   |   Assigned   |   Resolved   |   Open
 Jan 1  |     13       |  2           | 12
 Jan 2  |     6        |  2           | 12

My code:

bin _time span=day 
| stats count(eval(request="queue")) as Assigned count(eval(request="resolved")) as Resolved count(eval(current_ticket_state="open")) as Open by _time 
| eval _time = strftime(_time, "%d-%b-%y") 
| rename _time as Day 

What I need now is a row that will have a text of 'carryover' on column Day and an eval carryover = Resolved - Assigned from the previous month for its value on the 'Assigned' column. Here is the supposed output.

   Day    |   Assigned   |   Resolved   |   Open
Carryover |     5       |              |    
Jan 1     |     13      |       2      |    12 
Jan 2     |     6       |       2      |    12

How should I achieve this?

0 Karma

woodcock
Esteemed Legend

Your description does not at all match your sample output in the following ways:
1: It only shows 1 month
2: The Carryover value of 5 cannot be achieved by any convolution of the math that you provided.

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @dojiepreji,

Are you still having trouble with this issue? If so, please answer the commenter above so that they can help you further. Or, if you solved your query, would you mind describing the steps you took so that others can learn from your solution?

Thanks.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...