Hello, I'm trying to add the appearance of a certain value in my base search count. the value is "detatched". it is written in an event, when a certain license has been used. this detatched licen...
See more...
Hello, I'm trying to add the appearance of a certain value in my base search count. the value is "detatched". it is written in an event, when a certain license has been used. this detatched license has a lifespan of 14 days, afterwards it's not active anymore and I don't need to add this to my base search anymore. so basically it's like this : index=indexa=* licensecount=* productid=5000 earliest=-30d@d latest=now() | eval flag="basecount" | append [search index=indexa =* productid=5000 subject="*detatched*" earliest=-45d@d latest=-31d@d | eval flag="addcount"] | stats count(eval(flag="basecount")) as basecount count(eval(flag="addcount")) as addcount | eval totalcount = basecount+addcount |timechart span=1d count(totalcount) I know this query is partlially stupid but what I want to show is what I'm trying to accomplish. Example: Today I have a licence count of the product 5000 of 5, 14 days ago I had a count of 1, therefore today it should show me 6. tomorrow, this count of 1 shouldn't be added anymore, cause it's more than 14 days old and not active anymore. this should be seen - ideally - in a timechart. Hope someone can make sense of this . Much appreciate any help or feedback, cause, maybe it's not possible to do so in splunk. Thanks a lot guys