Hi,
I'm working with an old data where I need to get the value of a field for the 'supposed' previous month.
Here's my query:
index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=*
| eval _time = strptime(Date, "%m/%d/%y")
| timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
| eval Backlog_Total = Inflow - 'Closed/Cancelled'
And here's the result:
What I'm trying to do is to get the value of Backlog_Total of the supposed previous month which is '2017-05'.
How would I be able to do it? And also it needs to be dynamic.
I hope you can help me with this.
Thank you.
You can get the difference from the previous event with "delta".
index="sample_data" sourcetype="management_sampledata.csv" "Ticket Type"=* Priority=* Ticket_No=*
| eval _time = strptime(Date, "%m/%d/%y")
| timechart span=1mon count(eval(Status="Closed")) as Closed/Cancelled, count as Inflow
| eval Backlog_Total = Inflow - 'Closed/Cancelled'
| delta Backlog_Total as previous_month_Backlog_Total
| eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total
Hi @HiroshiSatoh,
I tried it but it doesn't work the way I want it.
It does not get the exact value of the field. It only got 180 instead of 183.
I was wrong.
| eval previous_month_Backlog_Total=Backlog_Total + previous_month_Backlog_Total
| eval previous_month_Backlog_Total=Backlog_Total - previous_month_Backlog_Total
delta gets the difference. 180 is the difference.
363-183=180