Seeking help of Splunk Gurus.
I have three sourcetypes : TICKET_OPENED, TICKET_ACTIVITY & TICKET_CLOSED. A common field among these three sourcetypes is TICKET_NUMBER.
It is possible that a specific TICKET_NUMBER was opened (exists in TICKET_OPENED) but was not closed (does not exist in TICKET_CLOSED). My question is how do I count the number of distinct TICKET_NUMBER that exist in all of the three sourcetypes?
PS - tried to look if this was previously asked but can't find any answer.
↧