Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to edit my search to generate a report of Current Status over time?

wmusch
New Member
โ€Ž05-12-2017 05:31 PM

Greetings everyone.

I'm trying to do what I think is a simple task, but for some reason it is troubling. I loaded some CSV data into Splunk, and have this search:

Course="MYCOURSE*" Progres=100 | chart count by Course "Current Status"

Now, I get a result of my four courses, and the pass fail state (Current Status).
alt text

That is good, now I cant seem to generate this report over time. So basically I would like to see a bar graph, showing the pass/fail state for each course for each month. The trouble I think I'm running into is the use of chart and not timechart, however I seem to have trouble creating a timechart that breaks up the "Current Status" field that could be either pass or fail

Here is an example of the data set:
User User ID Course Course Start Date Course Completion Date Progress Current Average Current Status Time In Course
Jon ID1 Course 1 2/16/2017 16:25 2/17/2017 13:49 100 86 PASS 1h 17m
Doe ID1 Course 1 10/28/2016 3:43 11/7/2016 5:11 100 72 FAIL 107h 32m

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
โ€Ž05-17-2017 04:49 AM

Like this:

Course="MYCOURSE*" Progres=100 | eval CourseAndStatus = Course . ":" . $Current Status$ | timechart count BY CourseAndStatus
0 Karma
Reply