Problem
I want to be able to create a timechart that outlines the company's incident count by week.
The issue I have is many incidents are created in one week but then resolved in the following week. That final event is then shown in the following weeks figures.
The way I have gotten around this before when searching a specific timeframe is by creating a start & end timestamp and having the Dates_Created field fall between the two times. However I am unsure how to use this in a week by week case.
Example:
| eval startstamp=strftime(relative_time(now(),"-mon@mon"),"%Y-%m-%d %H:%M:%S")
| eval endstamp=strftime(relative_time(now(), "-1s"),"%Y-%m-%d %H:%M:%S")
| where Dates_Created >= startstamp AND Dates_Created < endstamp
Query
This query currently shows me all events that have occurred on a week by week basis. However I want it to shows all tickets that were created (Dates_Created) on a week by week basis.
| index="Respond" sourcetype=Ticket queue="Incident" earliest=-42d@d latest=now
| dedup ticket
| eval week_month=strftime(_time, "%V")
| bucket span=7d _time
| chart count by week_month
Any help will be greatly appreciated
... View more