I have a datasource that drops data into Splunk every 10 minutes that contains data about my team's workflow.
The data in Splunk looks something like this
10:00am "Priority" = 10
10:00am "Normal" = 100
10:10am "Priority" = 8
10:10am "Normal" = 102
10:20am "Priority" = 12
10:20am "Normal" = 95
etc.
I want to create a table that looks like this:
Priority Type, Tickets Now, Tickets 1 hour ago, Tickets 24 hours ago
Normal,95,100,103
Priority,12,,10,8
My search is:
index="data" source="log" earliest=-12hr
TicketPriority= "Normal" OR "Priority"
| bin field3 span=10m
| dedup TicketPriority
| stats values(field3) by TicketPriority
How can I get it to add the numbers of tickets from 1 hour ago and 24 hours ago?
Assuming you have a _time field and field3 is your count
index="data" source="log" earliest=-24hr
TicketPriority= "Normal" OR "Priority"
| bin _time span=10m
| eval bucket=round((now() - _time) / (60 * 10), 0)
| where bucket IN ( 0, 6, 144 )
| eval bucket=case(0,"Tickets now", 6, "Tickets 1 hour ago", 144, "Tickets 24 hours ago")
| chart values(field3) by TicketPriority bucket
Assuming you have a _time field and field3 is your count
index="data" source="log" earliest=-24hr
TicketPriority= "Normal" OR "Priority"
| bin _time span=10m
| eval bucket=round((now() - _time) / (60 * 10), 0)
| where bucket IN ( 0, 6, 144 )
| eval bucket=case(0,"Tickets now", 6, "Tickets 1 hour ago", 144, "Tickets 24 hours ago")
| chart values(field3) by TicketPriority bucket