Activity Feed
- Posted Re: help with sum time between event from other sourcetypes on Splunk Search. 01-11-2014 12:25 AM
- Posted help with sum time between event from other sourcetypes on Splunk Search. 01-10-2014 03:37 AM
- Tagged help with sum time between event from other sourcetypes on Splunk Search. 01-10-2014 03:37 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-11-2014
12:25 AM
Thank you for your answer, but I also need to calc the time of the events that came back to the crew.
I will be very happy if you or someone else can help me.
ty
... View more
01-10-2014
03:37 AM
Hi,
I have some events that can be transfered from one crew to anothe, and their status also can be changed.
I have 3 sourcetypes (1 sourcetype (ALL_EVENTS) is dump and the othe two are tails)
The first sourcetype contains the events, and the other 2 contain the history of the events (1 contains all the history about changes of statuses and the other contains
the changes / transfers of the event from one crew to another)
I want to sum the overall time (duration) the crew "IT-1" handled the overall events which their last status is not CANCEL, i.e the overall time takes the crew ("IT-1") to handle the events.
It looks like this:
sourcetype: ALL_EVENTS
event_id CURRENT_CREW CURRENT_STATUS
---------- ------------- -----------------
1111 IT-1 CLOSE
2222 IT-1 CANCEL
3333 IT-1 CLOSE
4444 IT-2 IN_PROGRESS
sourcetype: STstatus
event_id Update_date old_status new_status handling_crew
---------- -------------- ----------- ----------- --------------
1111 1/1/14 07:59:00 NULL OPEN NULL
2222 1/1/14 08:05:00 NULL OPEN NULL
1111 1/1/14 08:05:00 OPEN IN_PROGRESS IT-1
3333 1/1/14 08:09:00 NULL OPEN NULL
4444 1/1/14 08:11:00 NULL OPEN NULL
1111 1/1/14 08:20:00 IN_PROGRESS CANCEL IT-1
1111 1/1/14 08:23:00 CANCEL REOPEN IT-1
1111 1/1/14 08:25:00 REOPEN CLOSE IT-1
3333 1/1/14 08:26:00 OPEN IN_PROGRESS IT-1
3333 1/1/14 08:27:00 IN_PROGRESS CLOSE IT-1
2222 1/1/14 08:30:00 OPEN CANCEL IT-1
4444 1/1/14 08:31:00 OPEN IN_PROGRESS IT-2
sourcetype: STcrew
event_id Update_date old_crew new_crew
------- ---------------- ---------- ------------
1111 1/1/14 08:00:00 NULL IT-1
2222 1/1/14 08:05:05 NULL HELP_DESK-1
3333 1/1/14 08:10:00 NULL IT-1
4444 1/1/14 08:11:05 NULL IT-2
1111 1/1/14 08:15:00 IT-1 IT-2
2222 1/1/14 08:16:00 HELP_DESK-1 IT-1
1111 1/1/14 08:19:00 IT-2 IT-1
I want to sum the overall time the crew "IT-1" handled the overall events which their last status is not CANCEL
it needs to calculate the time like this:
1/1/14 08:00:00 - 1/1/14 08:15:00 +
1/1/14 08:19:00 - 1/1/14 08:20:00 +
1/1/14 08:23:00 - 1/1/14 08:25:00 +
1/1/14 08:10:00 - 1/1/14 08:27:00 = 15 + 1 + 2 + 17 = 35
and the result I will see is (in mintues): 35
the schema for the calc is:
1. don't calc the event which last status is CANCEL
2. start sum all the events where (new_crew = "IT-1" AND current_status is not CLOSE / CANCEL) OR (new_status = OPEN / REOPEN)
3. sum until (old_crew = "IT-1") OR (new_status is CLOSE / CANCEL AND handling_crew = "IT-1")
I tried to do a part of this (cause i don't know how to add another field to the list)
index="x" sourcetype="STstatus" | streamstats first(new_status) as firstStatus by event_id | search NOT firstStatus = "CANCEL" | eval updatetime = strftime (Update_date, "%d-%m-%y %H:%M:%S") | transaction event_id mvlist=new_status startswith=eval(new_status="OPEN" OR new_status="REOPEN") endswith=eval(new_status="CLOSE" OR new_status="CANCEL") | stats sum(duration) as sDuration by event_id | eval SumMin = sDuration / 60
... View more
- Tags:
- pre
