Comments and answers for "How do I perform count logic on all entries for a specific line?"
https://answers.splunk.com/answers/479164/how-do-i-perform-count-logic-on-all-entries-for-a.html
The latest comments and answers for the question "How do I perform count logic on all entries for a specific line?"Comment by sundareshr on sundareshr's comment
https://answers.splunk.com/comments/478325/view.html
Sounds like this is what you need
https://answers.splunk.com/answers/392089/ticket-analytics-how-to-chart-open-tickets-over-ti.htmlThu, 01 Dec 2016 13:51:00 GMTsundareshrComment by andrewtrobec on andrewtrobec's answer
https://answers.splunk.com/comments/479172/view.html
Thanks for the answer. It's not quite what I'm looking for but it's given me something to work with. In reality the `given_day` should be the the `_time` value for a particular entry.
What I'm looking for is:
Given the _time of an entry, how many objects were opened on or before that time, and how many of those same objects have been closed on or before that time?
Some pseudo-code:
FOR EVERY ENTRY BEFORE _time
INCLUDE IF [Opened] < [_time]
INCLUDE IF [Closed] < [_time]
What makes it difficult is that I have to be able to search through all previous data to make my calculation, and I am struggling to figure out how to do that.
Regards,
AndrewThu, 01 Dec 2016 13:42:40 GMTandrewtrobecAnswer by sundareshr
https://answers.splunk.com/answering/478319/view.html
How about this. I am assuming `given_day=today()`
... | eval e_closed=strptime(Closed, "%Y-%m-%d %H:%M:%S") | eval given_day=relative_time(now(), "@d") | eval o_count=if(_time<=given_day, 1, 0) | eval c_count=if(e_closed<=given_day, 1, 0) | timechart span=1d sum(o_count) as opened sum(eval(if(c_count=1 AND o_count=1, 1, 0))) as closedThu, 01 Dec 2016 13:06:02 GMTsundareshr