I have a simple ticketing system.
I need to show the number of tickets open for each client at the end of each week - since 1/1/2015.
This search will show the number of jobs opened for that week
...Project="MyClient1"
| eval DateCreated=strptime(Created,"%d/%m/%Y %H:%M")
| eval DateResolved=strptime(Resolved,"%d/%m/%Y %H:%M")
| eval JobState=if(DateResolved>DateCreated,"Calculated Closed","CalculatedAsOpen")
| where JobState="CalculatedAsOpen"
| timechart span=1week count(JobState) by JobState
but does not count jobs open from previous weeks.
The query would need to evaluate DateResolved against the current timechart time to determine if it was still open.
A similar question is posted here https://answers.splunk.com/answers/78275/timechart-accumulation-of-all-events-from-previous-times.html
AJ
... View more