Splunk Search

count how many records was opened by open date field

matansocher
Contributor

Hi,

I have a table of incidents and I want to count the number of incidents opened per month.
Each record updates after the status of an incident is change. for example, incident is closed so the old record updated the status field to close.
table:
alt text

After an update, the only thing I have left to know about the opening of the incident is the creation date field (sys_created_on).

Is there any way I can count the number of incidents opened for every month in timechart?

Thanks

0 Karma
1 Solution

rjthibod
Champion

You can convert sys_created_on to a timestamp using | eval timestamp = strptime(sys_created_on, "%m/%d/%Y"), so then you can make a timechart after that.

<YOUR BASE SEARCH> | eval timestamp = strptime(sys_created_on, "%m/%d/%Y") | rename timestamp as _time | timechart span=1mon count as Opened

View solution in original post

rmarcum
Explorer

If this is from the Splunk ServiceNow App, the _time is most likely coming in as LOCAL, and sys_created_on as GMT. On your dashboard you most likely want your time chart to also be LOCAL time. Accordingly, I would recommend:

 | rename COMMENT AS "equate _time TO sys_created_on_Local which can be converted FROM sys_created_on_GMT "
 | eval _time=strptime((sys_created_on_GMT." UTC"),"%Y-%m-%d %T %Z")
 | timechart count ... etc.
0 Karma

rjthibod
Champion

You can convert sys_created_on to a timestamp using | eval timestamp = strptime(sys_created_on, "%m/%d/%Y"), so then you can make a timechart after that.

<YOUR BASE SEARCH> | eval timestamp = strptime(sys_created_on, "%m/%d/%Y") | rename timestamp as _time | timechart span=1mon count as Opened

Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...