Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my inputlookup search to create a time chart of status over time from our CSV file?

splunker9999
Path Finder
‎08-30-2016 01:45 PM

Hi,

We are looking for time chart that would give Status over time from our CSV file.

Line graph should plot by Month (this field does not exist in our data).

Here is sample data from the lookup which has date/Time Opened field. Using this, we need to get a timechart by status over month.

Case    Contact Name   Subject       Status   Case Age (days)   Owner Name    Date/Time Opened
29541   Yalamanchil    Memory        Open     289               Chandhok      11/11/2015 11:23
35594   Mullangi       Gold DR-      Closed   149               Chandhok      3/30/2016 9:00
37506   Yalamanchili   CORAL volume  Open     100               Chandhok      5/18/2016 21:16

Sample search looks like below:

|inputlookup Mapr_Ticket_Metrics.csv| eval Status= if(Status!="Closed", "Open", "Closed")|chart count over "Date/Time Opened"`by Status

This search lists by time value (but we need to aggregate these by month, our X-Axis should give month)

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-30-2016 02:49 PM

Give this a try

 |inputlookup Mapr_Ticket_Metrics.csv| eval Status= if(Status!="Closed", "Open", "Closed") | eval _time=strptime('Date/Time Opened',"%m/%d/%Y %H:%M") | timechart span=1mon count by Status

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-30-2016 02:49 PM

Give this a try

 |inputlookup Mapr_Ticket_Metrics.csv| eval Status= if(Status!="Closed", "Open", "Closed") | eval _time=strptime('Date/Time Opened',"%m/%d/%Y %H:%M") | timechart span=1mon count by Status
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-30-2016 01:49 PM

Try this

 |inputlookup Mapr_Ticket_Metrics.csv| eval Status= if(Status!="Closed", "Open", "Closed")|eval dtm=strptime("Date/Time Opened", "%m/%d/%Y")  | bin span=1mon dtm | chart count over dtm by Status | eval dtm=strftime(dtm, "%m/%d/%Y")  | rename dtm AS "Date/Time Opened"
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...