I'm working with ServiceNow incident logs and I'm trying to group events weekly, based on their final state in the week.
I've pulled them from the beginning of the year, and I did this starting about a month ago so _time is pretty skewed. I believe my desired field is "sys_updated_on".
I want to have a line graph for each incident's state, grouped by when it was last updated ("sys_updated_on").
This is how the search looks right now:
index=servicenow sourcetype=snow:incident incident_state=* | dedup sys_id | timechart span=7d count(sys_id)
I was looking at this one article (had to modify the URL since I don't have enough karma yet to post a URL), but I don't understand the syntax of how to use chart to do it.
splunkforums/answers/9730/using-a-different-time-base-on-timechart
Thanks,
Brandon
↧