- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart accumulation of all events from previous...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart accumulation of all events from previous times
I want to create a timechart that counts all active events (Status = active). These are bug reports. This is actually a burn down chart.
Therefore, if I have 2 open bugs on Monday, and 3 Open bugs on Tuesday,
the chart should show 2 on Monday and 5 on Tuesday.
Lets say 1 of the Monday bugs became resolved on Tuesday, then on Tuesday, I have 1 open bug from Monday and 3 on Tuesday. The chart would then show 2 on Monday and 4 on Tuesday.
For the bug that was resolved, there are two individual events representing it:
First event : Status = Open, BugId=1, time=Monday
Second Event : Status = Closed, BugId=1, time=Tuesday
I have to make a timechart that takes all open bugs in consideration.
I cannot simply use dedup on BugId before my timechart command, as this removes my open bug on Monday.
Also, I cannot simply accumulate my bars with eventstats, as the bug that is open on Monday may be closed on Tuesday, but Tuesday would still show 5 bugs, where it should be 4.
I need to be able to dedup the bugs and add all the open bugs for EACH individual bucket of time.
Note: If a bug is opened on Monday and closed on Wednesday, I would like it to show up(count) as Open for both Monday and Tuesday.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would use a stats command to aggregate things:
| stats last(_time) as _time first(status) as status by BugId
THis will give you one row per BugId with the oldest _time it was seen, and the most recent status. THen you can pipe that to a filter so you only get the Open BugId's, and timechart that set of results.
| stats last(_time) as _time first(status) as status by BugId | where status="Open" | timechart count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently facing a similar issue where I need to track past events and show their active state over time. Have you solved your problem and found a way to build an accurate chart? If so, can you please provide an example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with this is that the bug will only be applied to one time. I want the bug to be counted for all the times it is open. For example, if the bug is open on Monday and closed on Thursday, I want to see it counted for the Monday, Tuesday and Wednesday count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then you simply remove the | where status="Open" bit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this answer, it will eliminate all my bugs that were closed.
If a bug was opened on Monday and closed on Tuesday, I still want it to show up for the Monday count. I do not want only the bugs that are currently still open.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
