Hello all,
I have a search that goes like this:
index="_internal" (ticket_type="Incident") (classification="level-1" OR classification="level-2") (ticket_status="Closed" OR ticket_status="Resolved")
| stats dc(ticket_number) as "score"
| eval r = 1
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-1" OR classification="level-2") (NOT ticket_status="Cancelled") (sla_response="Breached")
| stats dc(ticket_number) as "missed"
| eval r = 1 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-1" OR classification="level-2") (ticket_status="Closed" OR ticket_status="Resolved") (NOT ticket_source="Alert") `comment("Priority Level 1 and 2 - Excluding Alerts)")`
| stats dc(ticket_number) as "score"
| eval r = 2 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-1" OR classification="level-2") (NOT ticket_status="Cancelled") (sla_response="Breached") (NOT ticket_source="Alert")
| stats dc(ticket_number) as "missed"
| eval r = 2 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-1") (ticket_status="Closed" OR ticket_status="Resolved")
| stats dc(ticket_number) as "score"
| eval r = 3 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-1") (NOT ticket_status="Cancelled") (ticket_contract="Breached")
| stats dc(ticket_number) as "missed"
| eval r = 3 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-2") (ticket_status="Closed" OR ticket_status="Resolved")
| eval r = 4 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-2") (NOT ticket_status="Cancelled") (ticket_contract="Breached")
| stats dc(ticket_number) as "missed"
| eval r = 4 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-2") (ticket_status="Closed" OR ticket_status="Resolved") (NOT ticket_source="Alert") `comment("Priority 2 - Excluding Alerts")`
| stats dc(ticket_number) as "score"
| eval r = 5 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-2") (NOT ticket_status="Cancelled") (ticket_contract="Breached") (NOT ticket_source="Alert")
| stats dc(ticket_number) as "missed"
| eval r = 5 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-3") (ticket_status="Closed" OR ticket_status="Resolved")
| stats dc(ticket_number) as "score"
| eval r = 6 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-3") (NOT ticket_status="Cancelled") (ticket_contract="Breached")
| stats dc(ticket_number) as "missed"
| eval r = 6 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-3") (ticket_status="Closed" OR ticket_status="Resolved")
| stats dc(ticket_number) as "score"
| eval r = 7 ]
| append
[ search index="_internal" (ticket_type="Incident") (classification="level-3") (NOT ticket_status="Cancelled") (ticket_contract="Breached") (NOT ticket_source="Alert")
| stats dc(ticket_number) as "missed"
| eval r = 7 ]
| selfjoin r
| eval met = score - missed
| eval performance = round((met / score) * 100, 2)
I am able to get the performance just fine.
However, I have to get the value of performance every month. I have tried:
| timechart span=1mon list(performance) as performance
...but nothing gets returned.
Can anybody please point me in the right direction?
Thank you.
↧