Splunk Search

show difference of 2 accumulated values in line chart

matansocher
Contributor

Hi,

I have created a chart to show the accumulated number of open and closed ticket:

alt text

My code:

sourcetype=snow:incident
| dedup number 
| search dv_assignment_group=*israel* (dv_assigned_to=*)
| eval sys_created_on = substr(sys_created_on,1,10) 
| replace 5 with Closed 7 with Closed in incident_state
| table number incident_state _time 
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed

I thought of a better way to show the difference: 1 line to represent the difference between the "Open" and "Closed" over time.

Thanks

0 Karma
1 Solution

rjthibod
Champion

To do what you want, you can simply add | eval Diff = Opened - Close | fields - Opened Close to the end of your query.

Separately, I recommend you simplify and optimize your search. Got some unnecessary stuff in there.

 sourcetype=snow:incident dv_assignment_group=*israel* dv_assigned_to=*
| fields _time number  incident_state 
| dedup number 
| replace 5 with Closed 7 with Closed in incident_state
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
| fillnull value=0 Opened Closed
| eval Diff = Opened - Closed
| fields - Opened Closed

View solution in original post

rjthibod
Champion

To do what you want, you can simply add | eval Diff = Opened - Close | fields - Opened Close to the end of your query.

Separately, I recommend you simplify and optimize your search. Got some unnecessary stuff in there.

 sourcetype=snow:incident dv_assignment_group=*israel* dv_assigned_to=*
| fields _time number  incident_state 
| dedup number 
| replace 5 with Closed 7 with Closed in incident_state
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
| fillnull value=0 Opened Closed
| eval Diff = Opened - Closed
| fields - Opened Closed
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...