@sundareshr Thanks. I've tried your query in splunk, but there is a error. There are some background features of this problem i need to tell you. So if you got it, i would appreaciated that you give me some advices to solve this problem!
Features
A task has two category but shares only one taskId. And the task in splunk index has two events by different category that is either category=Created or category=Started.
A task is created first and then started. Not every task is started just after created.
So i need to i need to know the sum of tasks created but not started in [-24,-23], [-24,-22] and [-24,-21] ... [-24,now] hour.
After i draw the chart, i can know the change trends of how many tasks created but not started.
My query can just show the sum of tasks created but not started in [-24,now]hour. That troubled me.
index="index_kkk" category=Created earliest=-1d
| search NOT [search index="index_kkk" AND category=Started earliest=-1d
| fields taskId
]
| timechart count span=1h
| streamstats sum(count) as cumulative
Is that clear for you? Could you give me some advices? Thank you very much!
... View more