- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
simon1524
Explorer
06-30-2022
12:54 AM
There is something wrong with the data output by using apendcols. The data of Total_Actual is blank from 02-2022. But actually there has data all of months. May I know what's the reason..?
index=sourceA
PRIORITY="High" OR
PRIORITY="Medium" OR
PRIORITY="Low"
WAS_CRITICAL="yes"
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count as Total
| appendcols [search index=sourceA
PRIORITY="Critical"
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count as Total_Actual]
| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _timeOUTPUT
| _time | Total | Total_Actual | Rate_% |
| 2021-07-01T00:00:00.000+0200 | 76 | 64 | 84.21 |
| 2021-08-01T00:00:00.000+0200 | 74 | 51 | 68.92 |
| 2021-09-01T00:00:00.000+0200 | 81 | 45 | 55.56 |
| 2021-10-01T00:00:00.000+0200 | 75 | 71 | 94.67 |
| 2021-11-01T00:00:00.000+0200 | 118 | 58 | 49.15 |
| 2021-12-01T00:00:00.000+0200 | 101 | 105 | 103.96 |
| 2022-01-01T00:00:00.000+0200 | 81 | 86 | 106.17 |
| 2022-02-01T00:00:00.000+0200 | 95 | ||
| 2022-03-01T00:00:00.000+0200 | 85 | ||
| 2022-04-01T00:00:00.000+0200 | 96 | ||
| 2022-05-01T00:00:00.000+0200 | 106 | ||
| 2022-06-01T00:00:00.000+0200 | 141 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VatsalJagani
SplunkTrust
06-30-2022
02:47 AM
@simon1524 - Try this query instead:
index=sourceA
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count(eval((PRIORITY="High" OR PRIORITY="Medium" OR PRIORITY="Low") AND WAS_CRITICAL="yes")) as Total, count(eval(PRIORITY="Critical")) as Total_Actual
| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _timeSingle timechart command without appendpipe should give you the results.
This query is much more robust and performance effective.
I hope this helps!!! Karma/upvote would be appreciated!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VatsalJagani
SplunkTrust
06-30-2022
02:47 AM
@simon1524 - Try this query instead:
index=sourceA
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count(eval((PRIORITY="High" OR PRIORITY="Medium" OR PRIORITY="Low") AND WAS_CRITICAL="yes")) as Total, count(eval(PRIORITY="Critical")) as Total_Actual
| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _timeSingle timechart command without appendpipe should give you the results.
This query is much more robust and performance effective.
I hope this helps!!! Karma/upvote would be appreciated!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
simon1524
Explorer
06-30-2022
06:09 PM
With your query the data shows correctly.
Thank you very much!!
