Solved: Re: How to create a timechart with the count of op...

lordadmiral · ‎04-29-2016

Hi there,

I have events which indicate opening and closing of an event. I want to see the amount of open events (that did not get a closing event by that time) at a given time.

Snipped from my search so far:

... | stats earliest(_time) as _time by processid, service, location | eval combkey = service." - ".processid | eval openclosed = if(location="o","close","open") | timechart...

I just have no idea how to achieve this.

Any idea is welcome 🙂

thanks
lordadmiral

somesoni2 · ‎04-29-2016

Try like this

.. | stats earliest(_time) as _time by processid, service, location | eval openclosed = if(location="o",-1,1) | timechart sum(openclosed)

View solution in original post

somesoni2 · ‎04-29-2016

Try like this

.. | stats earliest(_time) as _time by processid, service, location | eval openclosed = if(location="o",-1,1) | timechart sum(openclosed)

lordadmiral · ‎05-02-2016

Thanks a lot somesoni2!

sundareshr · ‎04-29-2016

Have you tried ... | timechart span=15m count by openclosed

lordadmiral · ‎05-02-2016

Thanks for answering sundareshr! somesoni2´s answer did the trick. 😉

How to create a timechart with the count of open events that did not have a closing event within a certain time frame?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!