- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to breakdown ticket data and create line c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to breakdown ticket data and create line chart?
I am trying to display a line chart that counts in a 15min spans throughout the course of a day,
the number of tickets that were opened to my group by looking for my specific group name,
and only counting one time- the earliest time my group name appears in that ticket and treating
that as the time the ticket was opened to my group.
The only problem being that my group name will show multiple times in the ticket as we attempt to contact customers and tickets can leave our group to be sent to other groups throughout the day.
sourcetype=TicketSource
| stats NumberOfTickets=count(eval(searchmatch("MyGoupName")))
| dedup TicketNumbers
| bucket span=15m _time
| stats sum(NumberOfTickets) as "Number of tickets opened" by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
count(eval(searchmatch("MyGoupName")))
instead of stats on the condition. you can filter the data on the condition and then use timechart.
sourcetype=TicketSource
| dedup TicketNumbers
| eval mygroup=if(searchmatch("MyGoupName"), true, false)
| search mygroup=true
| timechart count span=15m
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for trying to help, but I'm still having trouble. Let me try to explain my situation a bit better in hopes that it may clear things up.
Im trying to count how many tickets are assigned to my group per hour by searching for the name of my group in the tickets and counting how many times it shows up. The problem is that the group name may show multiple times in a single ticket which causes my results to display a count for for each time the name appears in a single ticket instead of a count by ticket of the earliest time the group name appears in the ticket.
sourcetype=TicketDataSource AssignmentGroupField="MyGroupName"
| dedup TicketNumber
| timechart count span=1h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im sorry but its just not working out. Im sure your advice would help under different circumstances, and I appreciate you. I just cant help to think that Im missing something.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use
AssignmentGroupField="MyGroupName"
after
dedup TicketNumber
This will ensure you will search for your group on the latest event related to the TicketNumber
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
