How to filldown by multiple criteria ?

erichard · ‎02-06-2018

I,

My use case :

We monitor change state events on projects :

{

date: 2018-02-06T11:00:07+01:00

id: 473184 <= event identifier
newStateId: 4

oldStateId: 2

projectId: 28381 <= project identifier
type: project_change_state

}

I need to know by day how many project are on the state "running" {2,3,4},
with the following request I'm able to extract the states change by day :

index="gtav21_logs" type=project_change_state projectId=12903
| sort id |eval _time=strptime('date',"%FT")
| stats last(id) as id,last(newStateId) as newStateId,first(newStateId) as oldStateId by _time
|table id,_time,newStateId

id _time newStateId
351577 2016-03-17 7
351578 2016-03-18 1
351579 2016-06-21 2
351575 2017-01-05 8

The problem is the gap between day, if I work on 1 project I can use makecontinuous & filldown but not scalable with
number of project >1.

My idea is to have something like :

projectId id _time newStateId
12903 351577 2016-03-17 7
12903 351578 2016-03-18 1
12903 >>351578 2016-03-19 1
12903 >>351578 2016-03-20 1
12903 >> ...
12903 351579 2016-06-21 2
12903 351575 2017-01-05 8
12904 ...
12904 ...

And then stats count by day,projectId ...

I hope to be clear enough ...

Thanks for your help !

How to filldown by multiple criteria ?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...