Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

compare the custom dates with the _time

praveenkpatidar
Explorer
‎03-15-2016 01:19 AM

Hello,

I have ticket data like below

ID Open_date Close_date
1 01/01/2016 02/01/2016
2 01/01/2016 01/01/2016
3 02/01/2016 03/01/2016
4 02/01/2016 03/01/2016
5 02/01/2016 03/01/2016
6 03/01/2016 04/01/2016

I want to populate the data on the basis of timeline.

If I choose Jan Month in timeline The open date and closed date should have compared with timeline and counts should be visible

Like for Jan Selection
Date Open Count Closed Count
1-Jan-16 2 1
2-Jan-16 3 1
3-Jan-16 1 3
4-Jan-16 0 1

Is it any way to do this I am literally searching all options. I have data model however any other approach is also welcomed.

Thanks
Praveen

Tags (1)
0 Karma
Reply

DMohn
Motivator
‎03-16-2016 01:59 AM

The key to your success would be the streamstats command. I am not sure if it is the most pretty or effective solution, but it gives you the wanted results:

 your_base_search
   | streamstats count as opencount by Open_date
   | streamstats count as closecount by Close_date
   | timechart span=1d max(opencount) as "Tickets opened", max(closecount) as "Tickets Closed"

Your data needs to have the event timestamp as the creation day for this search to work, maybe you need to tune this a bit by adding an eval _time= .... to your search to achieve this.

0 Karma
Reply

praveenkpatidar
Explorer
‎03-15-2016 06:34 PM

Some more progress on this.

Below both searches giving me results what I want. The only issue is joining the result into one result.
It should join all entities.

Closed Trend
index="idx" host=Incidents | eval _time = strptime ( resolved_at, "%d/%m/%Y %H:%M:%S") | chart count(number) as closed by _time bins=100

Open Trend
index="idx" host=Incidents | eval _time = strptime ( sys_created_on, "%d/%m/%Y %H:%M:%S") | chart count(number) as open by _time bins=100

0 Karma
Reply

somesoni2
Revered Legend
‎03-15-2016 07:53 AM

The original data is in CSV or it's ingested in Splunk? If it's ingested, which column _time field is based on?

0 Karma
Reply

praveenkpatidar
Explorer
‎03-15-2016 04:21 PM

Thanks somesoni2
Sorry, I missed that to mention.

So _time is created date. So I guess the Open Count is now resolved. In the same way I have to do Closed Count.
All data is ingested in Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...