I managed to count how many events were created and completed (tickets) in last weeks (last 6 months).
You can see the piece of output below
As you can see tickets can be opened and closed in different weeks, and I want to get chart like this (it can be just number of completed and opened in bars, without line):
I can do this:
append [ | gentimes start=-180 | bin span=1w endtime | stats count by endtime | eval year_week=strftime(endtime, "%Y-%U") | table year_week| reverse ] |
And I will get additional column with last weeks. But what next?
Any ideas how do it better?
Ok, it was easier than I thougt (nobie here)
I just searched for all events that are opened and closed in the same week, and then just dedup it. So the output now looks like this:
Now I have problems with the chart. Any ideas how I can put this values: open_during_week, complete_during_week over week_number_for_open?
Again, I do not understand your question. what do you mean by "put"?
I mean: "How to populate chart like above, with values open_during_week, complete_during_week over week_number_for_open?"
What search generated the output in your last update?
I don't quite get what you are trying to do but have you checked out the concurrency
command?
https://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Concurrency