Our event lists the answer to one question on a test.
Our test numbers are unique to one set of test questions by one student at the time they took the test.
I can handle grading the tests using eval(grade_function) by test_number (e.g. grade=B)
Students can take the test at any time and retake the test as many times as they want or only take the test once.
I want to track the student's progress every month.
Thus for every student, I want to get their last test results before each months end and plot the number of students who achieved each grade. Note the last test result for a student may appear many months before the current month end.
This should look like a bar or line graph and each X axis value is a month and each bar at an X value represents a count of the number of "A", "B", "C", and "D" grades.
The first part I think I can handle by processing the list of events by test number and generating statistics as a table.
Once I have done this, I have no "test" events (only lines in a table) to order or search by or sum up results.
I don't know if there is a way to turn a table into a series of events.
I also realize I may be very far off the way to use Splunk to process the data.
Do it like this:
... | bucket _time span=1mon | stats latest(grade) AS grade BY student test_number _time | timechart span=1mon count by grade
Given your "all time" clarification, try this:
... | eventstats latest(_time) AS lastTestTime BY student test_number | eval Grade=if(_time=lastTestTime ), grade, null()) | bucket _time span=1mon | stats latest(Grade) AS Grade BY student test_number _time | timechart span=1mon count by Grade
This assumes that the most recent grade for every student+test_number is the only one counted and that it is only counted in the month that the latest grade occurred (all previous grades for this student+test_number pairings are ignored).
The suggestion almost works.
The bad results occur when a student has not written a test within a month but wrote a test more than a month ago.
The student's grades carried over from the earlier months do not count for the grades in the latest month.
This might start working once you replace span=1m
with span=1mon
.
Fixed; thank you.
It's still bucketing by minutes.
Got it again.