Hi Murali,

so the query returned the results, however the avg(Resolution Time) is blank, and there is also a complexity field with the name not assigned.

When I try to pull the single value chart, I only receive the word "intensive"

the rename command should be rename Level AS Complexity.
Can you try that?

same results

if you would like to have four different single value chart for each Complexity, then you would need to have four search queries. I think you cannot produce four single value charts with one query.

In this case, the single value chart is taking the first value.

Okay that I under, so I would update the query

with the following?

by Complexity="Intensive"

The query you provided initially provided the correct breakdown, however there was just no information/ data for avg(ResolutionTime) for either of the complexity. That field was blank

ex.

Intensive|blank
Intermediate|blank
Moderate|blank
Minimal|blank
Not assigned|blank

This would probably due to eval expression.

Two things you need to check.
1. The timeformat for both Start Time and _time are "%Y-%m-%dT%H:%M:%S.%3N-%z". If not please modify the format accordingly, so that the strptime can convert it into correct epoch time.
2. Remove single quotes in the eval expression as below.
| eval ticketCreated=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N-%z") | eval ticketClosed=strptime(_time,"%Y-%m-%dT%H:%M:%S.%3N-%z")

The time variable in the strptime must not be quoted. Apologies for multiple changes.

I was able to figure this out ty

Hi Murali,

So I was able to capture the resolution time based on Complexity. However when I run my current search command, it displays the value's in a weird method.

Is there a way to display the value in an easier format such as 2Days 8 Hours and 30 Minutes?

Search below:

index=sdp Department="*" "Request Status"=Closed OR "Request Status"=Resolved Level="Intensive" | rename Level as Complexity | eval ticketCreated=_time | eval ticketClosed=strptime('Resolved Time',"%b %d,%Y %I:%M %p") | eval Averagetime1=ticketClosed-ticketCreated | stats avg(Averagetime1) as timeVariable by Complexity | fieldformat timeVariable = tostring(timeVariable,"duration")

Value display is:
@+08:30:30.000000

Hi Jhoang,

You can use the below

  | eval timeVariable=tostring(totalVariable,"duration") | eval TimeTaken = replace(timeVariable,"(\d*)\+(\d*)\:(\d+)\:(\d+)\.(\d+)","\1Days \2Hours \3Minutes \4Seconds")

should I be replacing ticketClosed - ticketCreated with:

Resolved Time - Created Time and

I was able to figure this out, ty

Hey,

I tried the above query but it does not return any results. I am comfortable with the suggestion you provided in regards to the field names with underscores, how would the new query look instead?

What is the difference between the single and double quotes?

Single quotes can be used to quote field names with spaces. I use them during an eval. e.g.
| eval MyField = 'some other field' will treat 'some other field' as an actual field name. Whereas, | eval MyField = "some other field" will set MyField to the literal string of "some other field"

I made up the TicketNumber field. I assume there is one in your events, or some other ID that you can key off of? Change it to that field name.

If you redo your field extractions with underscores, it would look something like this:

index=sdp Department="*" "Request Status"="*" Level="*" | rename Level as Complexity |transaction TicketNumber startswith=(Request Status=Open*) endswith=(Request_Status=Resolved OR Request_Status=Closed) | stats sum(duration) as TimeOpen by Complexity 

See also: http://docs.splunk.com/Documentation/Splunk/6.0.3/Search/Identifyandgroupeventsintotransactions#Tran...