Hi Splunkers, I have some data set with Ticket start and end times, I have created index=x sourcetype=y | eval opentickets=if(start>relative_time(now(),"@y"),"Opened","") | eval closetickets = if(end>relative_time(now(),"@y"),"Closed","") | bin _time span=1mon | eventstats count(eval(openticketstate="Opened")) as Opened count(eval(closeticketstat="Closed")) as Closed by _time | eval diff = Opened-Closed | timechart values(Closed) as Closed values(Opened) as Opened Which gives me a nice table of: _time,Closed,Opened 2017-01,108,1 2017-02,27,7 2017-03, 86,64 2017-04,38,33 Question is I have a static number from last year and I need another column TotalOpenTickets that updates this number along with the timechart. So every month, it needs to get previous months TotalOpenTickets count, add Opened count substitute Closed count. My goal is to get the result set of ( let's say static TotalOpenTickets is 200) similar to: _time, Closed, Opened, TotalOpenTickets 2017-01 ,108 ,1 ,93 2017-02 ,27 ,7 ,73 2017-03 ,86 ,66 ,53 2017-04 ,38 ,58 ,73 I hope I explained well. Thanks for reading. ... View more

I have a dataset like below: Ticket#| StartDate | EndDate In my search, I am more into EndDate of the tickets as |eval _time=EndDate | eval Duration = EndDate - StartDate Later on if I try to search something like |timechart avg(Duration) by TicketNum with YTD time range, it excludes the data that started in 2016 and ended in 2017. It only shows correct numbers, if I set earliest to min time of the ticket from last year. This time however, I don't get my time chart for YTD. What should be my approach to get desired result-set? Do you guys have any similar experience. Thanks up front for your time. ... View more

Has anybody experienced installing xmlutils app in Splunk clustered environment? I receive below error with 'xmlprettyprint' command only shcluster installation: [myindexer1insite1] Search Factory: Unknown search command 'xmlprettyprint'. [myindexer2insite2] Search Factory: Unknown search command 'xmlprettyprint'. thanks up front for your time. ... View more

Hi , I have a Splunk DB Connect batch input that runs every 24 hours to get some table result set in Splunk. Over the time since the index kept growing, in order to get best performance and keep data more historically, I added a variable to my SQL query that adds one more fields as PULL_DATE in the format of "%Y-%m-%d" In Splunk, so far I called this in the second pipe as: index=x source=y |where PULL_DATE = strftime(now(), "%Y-%m-%d") and my goal is to take value into first pipe that my searches would provide a better performance, so far I tried, strftime in the first pipe as a value, it doesn't work, Now I am trying to create a macro just to return me a value of. strftime(now(), "%Y-%m-%d") as it is mentioned in this answer. Splunk Answers: Is there a way to use eval before the initial event search (sourcetype=xx)? My macro definition is: ![alt text][1] I feel like i am close to what I need, however, I appreciate you all for your time reading this. ... View more