Splunk Search

show difference of 2 accumulated values in line chart

matansocher
Contributor

Hi,

I have created a chart to show the accumulated number of open and closed ticket:

alt text

My code:

sourcetype=snow:incident
| dedup number 
| search dv_assignment_group=*israel* (dv_assigned_to=*)
| eval sys_created_on = substr(sys_created_on,1,10) 
| replace 5 with Closed 7 with Closed in incident_state
| table number incident_state _time 
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed

I thought of a better way to show the difference: 1 line to represent the difference between the "Open" and "Closed" over time.

Thanks

0 Karma
1 Solution

rjthibod
Champion

To do what you want, you can simply add | eval Diff = Opened - Close | fields - Opened Close to the end of your query.

Separately, I recommend you simplify and optimize your search. Got some unnecessary stuff in there.

 sourcetype=snow:incident dv_assignment_group=*israel* dv_assigned_to=*
| fields _time number  incident_state 
| dedup number 
| replace 5 with Closed 7 with Closed in incident_state
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
| fillnull value=0 Opened Closed
| eval Diff = Opened - Closed
| fields - Opened Closed

View solution in original post

rjthibod
Champion

To do what you want, you can simply add | eval Diff = Opened - Close | fields - Opened Close to the end of your query.

Separately, I recommend you simplify and optimize your search. Got some unnecessary stuff in there.

 sourcetype=snow:incident dv_assignment_group=*israel* dv_assigned_to=*
| fields _time number  incident_state 
| dedup number 
| replace 5 with Closed 7 with Closed in incident_state
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
| fillnull value=0 Opened Closed
| eval Diff = Opened - Closed
| fields - Opened Closed

View solution in original post