I have following events:
TicketId SplunkTimeStamp Version
6.1608E+14 8/5/2016 8:32 16
6.1608E+14 8/4/2016 9:40
6.1608E+14 8/4/2016 8:50
6.1608E+14 8/4/2016 23:44 16
6.1608E+14 8/4/2016 8:00
6.1608E+14 8/4/2016 7:10
I want to get the total number of tickets by Version. Since some of the earlier events of the ticket do not have Version, to avoid a double count, I did:
index=events |eventstats latest(Version) as V by TickettId|stats dc(TicketId) as Total by V
However, the Total did not count the ticket having one event and with a version, such as
TicketId SplunkTimeStamp Version
11111111 8/4/2016 10:44 16
22222222 8/3/2016 10:44 15
So the total number is less than expected.
↧