I would like to show an Open Ticket Count over time. A kind of “burndown chart”.
I’ve read around on the KB, but there seem to be quite a few people who have faced this issue over the years, but no good answer yet. The consensus seems to be to use lookups in order to maintain state, but this isn’t very useful for us since we are working off of purely historical data (not real-time). http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
In pseudocode, this is what I want to chart:
open_defects = {}
for day in date_range(now() - 90d, now()):
open_defect_count = SELECT defects WHERE date_created < day AND date_closed > day OR status="Open"
open_defects[day] = open_defect_count
line_chart(open_defects)
Any ideas for how to accomplish this? Just dedup'ing the tickets and charting count by date_created doesn't work, because the tickets are mostly all closed by now. I want the tickets that were "Open at X date".
Thanks in advance for help.
Charlie
↧