Hi,
I have created a chart to show the accumulated number of open and closed ticket:
My code:
sourcetype=snow:incident
| dedup number
| search dv_assignment_group=*israel* (dv_assigned_to=*)
| eval sys_created_on = substr(sys_created_on,1,10)
| replace 5 with Closed 7 with Closed in incident_state
| table number incident_state _time
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
I thought of a better way to show the difference: 1 line to represent the difference between the "Open" and "Closed" over time.
Thanks
To do what you want, you can simply add | eval Diff = Opened - Close | fields - Opened Close
to the end of your query.
Separately, I recommend you simplify and optimize your search. Got some unnecessary stuff in there.
sourcetype=snow:incident dv_assignment_group=*israel* dv_assigned_to=*
| fields _time number incident_state
| dedup number
| replace 5 with Closed 7 with Closed in incident_state
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
| fillnull value=0 Opened Closed
| eval Diff = Opened - Closed
| fields - Opened Closed
To do what you want, you can simply add | eval Diff = Opened - Close | fields - Opened Close
to the end of your query.
Separately, I recommend you simplify and optimize your search. Got some unnecessary stuff in there.
sourcetype=snow:incident dv_assignment_group=*israel* dv_assigned_to=*
| fields _time number incident_state
| dedup number
| replace 5 with Closed 7 with Closed in incident_state
| timechart span=1d count as Opened count(eval(incident_state=="Closed")) as Closed
| accum Opened
| accum Closed
| fillnull value=0 Opened Closed
| eval Diff = Opened - Closed
| fields - Opened Closed