- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: compare the custom dates with the _time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
compare the custom dates with the _time
Hello,
I have ticket data like below
ID Open_date Close_date
1 01/01/2016 02/01/2016
2 01/01/2016 01/01/2016
3 02/01/2016 03/01/2016
4 02/01/2016 03/01/2016
5 02/01/2016 03/01/2016
6 03/01/2016 04/01/2016
I want to populate the data on the basis of timeline.
If I choose Jan Month in timeline The open date and closed date should have compared with timeline and counts should be visible
Like for Jan Selection
Date Open Count Closed Count
1-Jan-16 2 1
2-Jan-16 3 1
3-Jan-16 1 3
4-Jan-16 0 1
Is it any way to do this I am literally searching all options. I have data model however any other approach is also welcomed.
Thanks
Praveen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The key to your success would be the streamstats command. I am not sure if it is the most pretty or effective solution, but it gives you the wanted results:
your_base_search
| streamstats count as opencount by Open_date
| streamstats count as closecount by Close_date
| timechart span=1d max(opencount) as "Tickets opened", max(closecount) as "Tickets Closed"
Your data needs to have the event timestamp as the creation day for this search to work, maybe you need to tune this a bit by adding an eval _time= .... to your search to achieve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some more progress on this.
Below both searches giving me results what I want. The only issue is joining the result into one result.
It should join all entities.
Closed Trend
index="idx" host=Incidents | eval _time = strptime ( resolved_at, "%d/%m/%Y %H:%M:%S") | chart count(number) as closed by _time bins=100
Open Trend
index="idx" host=Incidents | eval _time = strptime ( sys_created_on, "%d/%m/%Y %H:%M:%S") | chart count(number) as open by _time bins=100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The original data is in CSV or it's ingested in Splunk? If it's ingested, which column _time field is based on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2
Sorry, I missed that to mention.
So _time is created date. So I guess the Open Count is now resolved. In the same way I have to do Closed Count.
All data is ingested in Splunk.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
