Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to plot backlog data on timechart?

SanjayReddy
SplunkTrust
SplunkTrust
‎10-20-2022 06:26 AM

Hi All,

I need help on plotting backlog data on timechart

We have set of tickets in backlog on specific dates with workgroups, wanted to show them in Timechart 

Below is the situation 

example ticket123 is backlog on 1st Oct with group A

and same ticket123 moved to group B on 03rd Oct and with them till 05th Oct

at last ticket moved Group C on 06th

Now below is the table that shows in Splunk. 

Date        Ticket     Workgroup  status
01-Oct     123             A                 Pending
03-Oct     123             B                 Pending
06-Oct     123            C                  Pending

 
from above table  if we do timechart its shows ticket123 in backlog on 01st , 03rd and 06th 

however ticket 
ticket123,   in backlog on 01st and 02nd in group A
ticket123,   in backlog on 03rd,04th and 05th in group B
ticket123,   in backlog on 06th in group B

how to get dates in  02nd,04th,05th in Table so that we can show on the timechart that the ticket in the backlog has specific dates.  

Labels (1)
Labels
0 Karma
Reply

alinabo12
Observer
‎10-23-2022 08:33 AM

Try something like this (keeping your current version of query)

Your query for ticket_inflow
| join type=left _time [Your query for tickets_cancelled]
| join type=left _time [Your query for tickets_resolved]
| reverse
| appendcols [ your query for backlog]
| reverse

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2022 07:26 AM

To fill in the gaps in dates, use the makecontinuous command.

...
```Convert Date to integer for makecontinuous```
| eval date=strptime(Date, "%d-%b")
```Fill in missing days```
| makecontinuous span=1d date
```Convert new dates to desired format```
| eval Date=strftime(date, "%d-%b")
```Fill in remaining fields```
| filldown | fields - date
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎10-21-2022 07:29 AM

Hi  richgalloway  and  ITWhisperer , 

Many thanks for your reply 

this is working fine one ticket,
However If I check for Multiple tickets , dates are not sorted properly 

ex: 
Ticket A and Ticket B
Date        Ticket     Workgroup  status
01-Oct     123             A                 Pending
03-Oct     123             B                 Pending
06-Oct     123            C                  Pending

Date        Ticket     Workgroup  status
04-Oct     456             A                 Pending
07-Oct    456             B                 Pending
08-Oct    456             C                  Pending

Current output 

Date        Ticket     Workgroup  status
01-Oct     123             A                 Pending
02-Oct     123             A                 Pending
03-Oct     123             B                 Pending
04-Oct     456             A                 Pending
05-Oct     456             A                 Pending
06-Oct     456            C                  Pending
06-Oct     123            C                  Pending
07-Oct    456             B                 Pending
08-Oct    456             C                  Pending


expected  output  with group  events for each tickets at one place

expected  output

Date        Ticket     Workgroup  status
01-Oct     123             A                 Pending
02-Oct     123             A                 Pending
03-Oct     123             B                 Pending
04-Oct     123            C                  Pending
05-Oct     123            C                  Pending
06-Oct     123            C                  Pending

04-Oct     456             A                 Pending
05-Oct     456             A                 Pending
06-Oct     456             A                 Pending
07-Oct     456             C                  Pending
08-Oct    456             C                  Pending

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-21-2022 07:31 AM 
| sort 0 Ticket _time
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-20-2022 07:08 AM

Assuming you are not worried about status, and your Date field is actually _time (if it isn't then set _time to be the epoch datetime version of this field), you could try something like this:

| timechart span=1d values(Workgroup) by Ticket
| makecontinuous _time span=1d
| filldown *
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...