I want to create a timechart that counts all active events (Status = active). These are bug reports. This is actually a burn down chart.
Therefore, if I have 2 open bugs on Monday, and 3 Open bugs on Tuesday,
the chart should show 2 on Monday and 5 on Tuesday.
Lets say 1 of the Monday bugs became resolved on Tuesday, then on Tuesday, I have 1 open bug from Monday and 3 on Tuesday. The chart would then show 2 on Monday and 4 on Tuesday.
For the bug that was resolved, there are two individual events representing it:
First event : Status = Open, BugId=1, time=Monday
Second Event : Status = Closed, BugId=1, time=Tuesday
I have to make a timechart that takes all open bugs in consideration.
I cannot simply use dedup on BugId before my timechart command, as this removes my open bug on Monday.
Also, I cannot simply accumulate my bars with eventstats, as the bug that is open on Monday may be closed on Tuesday, but Tuesday would still show 5 bugs, where it should be 4.
I need to be able to dedup the bugs and add all the open bugs for EACH individual bucket of time.
Note: If a bug is opened on Monday and closed on Wednesday, I would like it to show up(count) as Open for both Monday and Tuesday.
I would use a stats command to aggregate things:
| stats last(_time) as _time first(status) as status by BugId
THis will give you one row per BugId with the oldest _time it was seen, and the most recent status. THen you can pipe that to a filter so you only get the Open BugId's, and timechart that set of results.
| stats last(_time) as _time first(status) as status by BugId | where status="Open" | timechart count
I am currently facing a similar issue where I need to track past events and show their active state over time. Have you solved your problem and found a way to build an accurate chart? If so, can you please provide an example?
The problem with this is that the bug will only be applied to one time. I want the bug to be counted for all the times it is open. For example, if the bug is open on Monday and closed on Thursday, I want to see it counted for the Monday, Tuesday and Wednesday count.
Then you simply remove the | where status="Open" bit
For this answer, it will eliminate all my bugs that were closed.
If a bug was opened on Monday and closed on Tuesday, I still want it to show up for the Monday count. I do not want only the bugs that are currently still open.