All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hi. I am indexing data from a ticketing tool.

aorkcreate
New Member
‎08-08-2018 01:29 PM

I need to see what tickets were opened at end of each month. I've done a initial charge of the database, because of this, I can't use the _time indexed, otherwise I have to use open_date and close_date. Basically, the logic that I need to apply is: Make a count of all tickets that were opened before end of month and were closed after the end of that month. I need show like timechart with this info by month. Any idea about the way to get this info? Maybe could be useful the gentimes command?

0 Karma
Reply

andreacorvini
Path Finder
‎08-09-2018 03:34 AM

An example:

index=your_index sourcetype=your_sourcetype source=your_source
| dedup your_incident_unique_key
| eval _time=strptime(open_date,"%Y-%m-%d %H:%M:%S")
| bucket _time span=1mon
| stats count by _time

0 Karma
Reply

aorkcreate
New Member
‎08-09-2018 10:53 AM

the command that you given does work but I need a trend line of how many open this month and how many open last month and sooo on

0 Karma
Reply

aorkcreate
New Member
‎08-09-2018 10:56 AM

I need that comparing trend line ,no of open by the end of each month .

example :- if a 5 tickets are open by end of January then it needs to append with with feb data but if 2 of January tickets is closed in feb then it should not show in trend line of feb but should show in jan and too on
.

0 Karma
Reply

andreacorvini
Path Finder
‎08-09-2018 11:42 PM

I'm not sure I understand what you want.
Statistics of closed tickets "| append" statistics of tickets that are still open?
If you want to see all the tickets opened as if they were open in the current month, overwrite the opening date with eval....
But your goal is not clear to me.

0 Karma
Reply

poete
Builder
‎08-09-2018 12:52 AM

Hello @aorkcreate,

can you please share a sample of the data you are working with?

0 Karma
Reply

aorkcreate
New Member
‎08-09-2018 10:50 AM

This is my sample data :-
{
"Application": "",
"Data Source Status": "open",
"Days Open": "0",
"Director": “abcd”,
"Director ID": “12345”,
"Director Username": “dcbd”,
"Last Updated": "8/6/2018 9:00:16 AM",
"Number of Days Past Due": "-30",
"Reason for Closure": "",
"Request URL": “https://abcd.com”,
"Required Remediation Date": "9/5/2018",
"Source": “with”,
"Status": "Open",
"Threat Level": "High",
"Unit CIO": "",
"Vector ID": “123456789”,
"Vector Status": "Valid",
"Vector Status Justification": "",
"Vulnerability Closed Date": "",
"Vulnerability ID": “with-123-456”,
"Vulnerability Open Date": "8/6/2018",
"Vulnerability Risk": "High",
"WAVM Hosting Location": "External",
"WAVM Inventory Application(s)": “1234-abcde-1234”,
"With Vulnerability ID": "51817015"
}

0 Karma
Reply

aorkcreate
New Member
‎08-09-2018 10:56 AM

I need that comparing trend line ,no of open by the end of each month .

example :- if a 5 tickets are open by end of January then it needs to append with with feb data but if 2 of January tickets is closed in feb then it should not show in trend line of feb but should show in jan and too on
.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...