Hi,
I've searched throughout Answers for some time now and didn't find any, unfortunately.
Got in my Splunk environment an event per Incident, which contain both the dates at which it was opened, and the date at which it was closed.
It pretty much looks like this:
_time,number,priority,opened_at,closed_at
2016-03-02 09:16:04,1,High,2016-03-02 09:16:04,2016-03-02 10:33:09
2016-03-02 09:25:42,2,Medium,2016-03-02 09:25:42,
2016-03-02 09:28:24,3,High,2016-03-02 09:28:24,2016-03-02 09:39:02
2016-03-02 09:28:25,4,High,2016-03-02 09:28:25,2016-03-02 09:40:33
2016-03-02 10:48:33,5,Critical,2016-03-02 10:48:33,
2016-03-02 10:55:11,6,Low,2016-03-02 10:55:11,
2016-03-02 12:34:07,7,Medium,2016-03-02 12:34:07,2016-03-02 17:46:21
2016-03-02 15:29:03,8,Medium,2016-03-02 15:29:03,2016-03-03 00:55:39
Note that some events don't have a set closed_at date, as they haven't been closed yet, and also please note that the _time is set at the same time as opened_at.
My goal is to calculate the number of opened incidents and closed ones through time (without pulling out the events twice with a subsearch where I would set the _time to closed_at), pretty much like this:
https://sourceforge.net/blog/communityhub/uploads/2011/11/screen-shot-2011-11-22-at-23723-pm-600x349.png.
I've tried several things, but with no luck.
So, here's the beginning of my request where I transform the dates fields as epoch time fields:
search
| eval opened_at=strptime(opened_at, "%Y-%m-%d %H:%M:%S")
| eval closed_at=strptime(closed_at, "%Y-%m-%d %H:%M:%S")
Any help would be greatly appreciated.
Thank you,
Romain
... View more