I am trying to create a report where same engineer has escalated a ticket and resolved it. Like Ticket 13440211 was escalated by shan and also closed by him as well. How can I create a query for this?
Ticket status Engineer count
1 13440238 ESCALATED shan 10
2 13440211 CLOSED shan 74
3 13440211 ESCALATED shan 74
4 13440188 ESCALATED shan 2
5 13440144 ESCALATED shan 2
6 13440143 ESCALATED chan 15
6 13440143 CLOSED chan 15
7 13440143 ESCALATED shan 14
Something like:
index=blah sourcetype=bleh STATUS=ESCALATED OR STATUS=CLOSED| transaction Ticket | where mvcount(Engineer) = 1
could work.
/K
Something like:
index=blah sourcetype=bleh STATUS=ESCALATED OR STATUS=CLOSED| transaction Ticket | where mvcount(Engineer) = 1
could work.
/K
Try this
index=hfgtrdaily status=* ty=* STATUS=ESCALATED OR STATUS=CLOSED| search Engineer!=system | transaction Ticket | where mvcount(Engineer) = 1
I am including this to my search but I receive error "Unknown search command 'index'."
index=hfgtrdaily status=* ty=* | search Engineer!=system | index=blah sourcetype=bleh STATUS=ESCALATED OR STATUS=CLOSED| transaction Ticket | where mvcount(Engineer) = 1