About corecost

corecost

I was able to get it to work with this final query: index="jsm_issues" | dedup _time key | timechart count by fields.status.name | foreach * [eval <<FIELD>> = if('<<FIELD>>' > 0, '<<FIELD>>', null())] | filldown * Thank you so much for your answer.

corecost

A lot of that query wasn't cleaned up from previous exploration queries, but thanks for the response. It looks like your suggestion is almost working for me except that the statement errors on the columns that are multi-worded | foreach * [eval <<FIELD>> = if(<<FIELD>> > 0, <<FIELD>>, null())]

corecost

I am trying to track a set of service desk ticket status across time. The data input is a series of ticket updates that come in as changes occur. Here is a snapshot: What I'd like to do with this is get a timechart with the status at each time point, however, I have an issue of the "blank" time events being filled in with zeros, whereas I need the last valid value instead. My naive query is: index="jsm_issues" | sort -_time | dedup _time key | timechart count(fields.status.name) by fields.status.name Which gives me: How can I query to get these zeros filled in with the last valid count ticket statuses? Some things I've tried with no success: Some filldown kludges usenull=f on the timechart A million other suggestions on this forum that usually involve a simpler query Any suggestions? Thanks!

Posts	3
Solutions	1
Karma Given	1
Karma Received	0
Member Since	‎10-04-2024

Online Status	Offline
Date Last Visited	Friday

Tracking ticket statuses and getting timechart to ...

Re: Tracking ticket statuses and getting timechart...

Re: Tracking ticket statuses and getting timechart...

Tracking ticket statuses and getting timechart to ...