Hi Everyone,
My apologies for the long message, but I hope this will give enough information about my requirement.
My current Splunk search returns an output with three columns - viz. Ticket_Number, Created_Date, Classification. The data is displayed for each day of the month.
I need to show the data in the format like for each month, how many Ticket_Numbers as per the Classification. e.g.:
In January, one Sev-1 and one Sev-2. In May two Sev-2, one Sev-3 and one Sev-4 and so on.
Also, I need to display this output in a graphical representation.
My search is:
index ="my_index" sourcetype="type_1" | rename "Ticket Number" as Ticket_Number | rename "Date Created" as Ticket_created_date | table Ticket_Number, ticket_created_date | join Ticket_Number [search index ="my_index" sourcetype ="type_2" | rename "Incident Number" as Ticket_Number | rename CLASSIFICATION as Classification | table Ticket_Number, Classification] | table Ticket_Number, Ticket_created_date, Classification
My sample output:
Ticket_Number Ticket_created_date Classification
12345 24/1/2015 9:02 Sev-1
12346 25/1/2015 9:02 Sev-2
12347 26/2/2015 9:02 Sev-3
12348 27/2/2015 9:02 Sev-1
12349 28/3/2015 9:02 Sev-4
12350 29/3/2015 9:02 Sev-2
12351 30/4/2015 9:02 Sev-3
12352 30/4/2015 9:02 Sev-1
12353 1/5/2015 9:02 Sev-4
12354 2/5/2015 9:02 Sev-2
12355 3/5/2015 9:02 Sev-2
12356 4/5/2015 9:02 Sev-3
12357 5/6/2015 9:02 Sev-1
12358 6/6/2015 9:02 Sev-4
12359 7/7/2015 9:02 Sev-4
12360 8/7/2015 9:02 Sev-2
12361 9/8/2015 9:02 Sev-3
12362 10/8/2015 9:02 Sev-1
Can anyone please help me with the search and how to display the final output in a graph?
Thanks in advance.
Try something like this
index ="my_index" sourcetype="type_1" | rename "Ticket Number" as Ticket_Number | rename "Date Created" as Ticket_created_date | table Ticket_Number, ticket_created_date | join Ticket_Number [search index ="my_index" sourcetype ="type_2" | rename "Incident Number" as Ticket_Number | rename CLASSIFICATION as Classification | table Ticket_Number, Classification] | table Ticket_Number, Ticket_created_date, Classification | eval Month=strftime(strptime(Ticket_created_date,"%m/%d/%Y %H:%M"),"%Y-%m") | chart count over Month by Classification
Try something like this
index ="my_index" sourcetype="type_1" | rename "Ticket Number" as Ticket_Number | rename "Date Created" as Ticket_created_date | table Ticket_Number, ticket_created_date | join Ticket_Number [search index ="my_index" sourcetype ="type_2" | rename "Incident Number" as Ticket_Number | rename CLASSIFICATION as Classification | table Ticket_Number, Classification] | table Ticket_Number, Ticket_created_date, Classification | eval Month=strftime(strptime(Ticket_created_date,"%m/%d/%Y %H:%M"),"%Y-%m") | chart count over Month by Classification
Thank you so much. It worked..!!