Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart the daily sum of the last value of a field for each unique value of another field

thefosk
Engager
‎05-13-2020 04:09 PM

Hello,

I have events in the following format (ordered from oldest to newest😞

buyer=1 open_cases=3
buyer=1 open_cases=2
buyer=1 open_cases=5
buyer=2 open_cases=6
buyer=2 open_cases=1

Cases can be opened or closed during the day and "open_cases" can increase and decrease over time for a specific "buyer". I would like to visualize a timechart of the sum of every "open_cases" we have every day for each buyer.

So first we need to retrieve the last number of open_cases by buyer :

buyer=1 open_cases=5
buyer=2 open_cases=1

The sum them up:

sum_open_cases=6

and then create a timechart that shows the daily trend of "sum_open_cases". How can I achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-13-2020 04:45 PM 
| makeresults
| eval _raw="buyer=1 open_cases=3
 buyer=1 open_cases=2
 buyer=1 open_cases=5
 buyer=2 open_cases=6
 buyer=2 open_cases=1"
| multikv noheader=t
| fields _raw
| rename COMMENT as "this is sample, from here, the logic"
| kv
| bin span=1d _time
| stats last(open_cases) as last_cases by buyer _time
| stats sum(last_cases) as sum_open_cases by _time

try after COMMENT

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-13-2020 04:45 PM 
| makeresults
| eval _raw="buyer=1 open_cases=3
 buyer=1 open_cases=2
 buyer=1 open_cases=5
 buyer=2 open_cases=6
 buyer=2 open_cases=1"
| multikv noheader=t
| fields _raw
| rename COMMENT as "this is sample, from here, the logic"
| kv
| bin span=1d _time
| stats last(open_cases) as last_cases by buyer _time
| stats sum(last_cases) as sum_open_cases by _time

try after COMMENT

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...