Solved: How to create a timechart with the count of open e...

lordadmiral · ‎04-29-2016

Hi there,

I have events which indicate opening and closing of an event. I want to see the amount of open events (that did not get a closing event by that time) at a given time.

Snipped from my search so far:

... | stats earliest(_time) as _time by processid, service, location | eval combkey = service." - ".processid | eval openclosed = if(location="o","close","open") | timechart...

I just have no idea how to achieve this.

Any idea is welcome 🙂

thanks
lordadmiral

somesoni2 · ‎04-29-2016

Try like this

.. | stats earliest(_time) as _time by processid, service, location | eval openclosed = if(location="o",-1,1) | timechart sum(openclosed)

View solution in original post

somesoni2 · ‎04-29-2016

Try like this

.. | stats earliest(_time) as _time by processid, service, location | eval openclosed = if(location="o",-1,1) | timechart sum(openclosed)

lordadmiral · ‎05-02-2016

Thanks a lot somesoni2!

sundareshr · ‎04-29-2016

Have you tried ... | timechart span=15m count by openclosed

lordadmiral · ‎05-02-2016

Thanks for answering sundareshr! somesoni2´s answer did the trick. 😉

How to create a timechart with the count of open events that did not have a closing event within a certain time frame?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!