Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart accumulation of all events from previous times

cmak
Contributor
‎03-05-2013 06:28 PM

I want to create a timechart that counts all active events (Status = active). These are bug reports. This is actually a burn down chart.

Therefore, if I have 2 open bugs on Monday, and 3 Open bugs on Tuesday,
the chart should show 2 on Monday and 5 on Tuesday.

Lets say 1 of the Monday bugs became resolved on Tuesday, then on Tuesday, I have 1 open bug from Monday and 3 on Tuesday. The chart would then show 2 on Monday and 4 on Tuesday.

For the bug that was resolved, there are two individual events representing it:
First event : Status = Open, BugId=1, time=Monday
Second Event : Status = Closed, BugId=1, time=Tuesday

I have to make a timechart that takes all open bugs in consideration.
I cannot simply use dedup on BugId before my timechart command, as this removes my open bug on Monday.

Also, I cannot simply accumulate my bars with eventstats, as the bug that is open on Monday may be closed on Tuesday, but Tuesday would still show 5 bugs, where it should be 4.

I need to be able to dedup the bugs and add all the open bugs for EACH individual bucket of time.

Note: If a bug is opened on Monday and closed on Wednesday, I would like it to show up(count) as Open for both Monday and Tuesday.

Reply

emiller42
Motivator
‎03-05-2013 06:36 PM

I would use a stats command to aggregate things:

| stats last(_time) as _time first(status) as status by BugId

THis will give you one row per BugId with the oldest _time it was seen, and the most recent status. THen you can pipe that to a filter so you only get the Open BugId's, and timechart that set of results.

| stats last(_time) as _time first(status) as status by BugId | where status="Open" | timechart count
0 Karma
Reply

michaelmuenzer
New Member
‎02-03-2015 09:21 AM

I am currently facing a similar issue where I need to track past events and show their active state over time. Have you solved your problem and found a way to build an accurate chart? If so, can you please provide an example?

0 Karma
Reply

cmak
Contributor
‎03-06-2013 01:44 PM

The problem with this is that the bug will only be applied to one time. I want the bug to be counted for all the times it is open. For example, if the bug is open on Monday and closed on Thursday, I want to see it counted for the Monday, Tuesday and Wednesday count.

0 Karma
Reply

emiller42
Motivator
‎03-06-2013 01:21 PM

Then you simply remove the | where status="Open" bit

0 Karma
Reply

cmak
Contributor
‎03-06-2013 10:28 AM

For this answer, it will eliminate all my bugs that were closed.
If a bug was opened on Monday and closed on Tuesday, I still want it to show up for the Monday count. I do not want only the bugs that are currently still open.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...