I am basically doing two searches where the results of the 1st search serves as input for the 2nd search.
There are also two sourcetypes: TICKET_OPENED & TICKET_CLOSED, both with a common field TICKET_NUMBER. Search on TICKET_OPENED is filtered using the field EQUIPMENT, which is not on TICKET_CLOSED. The resulting TICKET_NUMBER from TICKET_OPENED is used to do a subsearch on TICKET_CLOSED. Search command below:
index=xyz sourcetype=TICKET_OPENED TYPE=EQUIPMENT | dedup TICKET_NUMBER | join TICKET_NUMBER [ search index=xyz sourcetype=TICKET_CLOSED | fields TICKET_NUMBER, CLOSE_DATE ] | table TICKET_NUMBER CREATE_DATE CLOSE_DATE
As from above, the fields CLOSE_DATE from TICKET_CLOSED and CREATE_DATE from TICKET_OPENED are also being extracted since the main purpose of the search is to find the open to close duration of tickets.
The problem is that the above search does not return all results. Using "All time"(Jan to now) only returns x events, however, some per month searches yield more than the all time. I've read that "join" has a certain limit. As additional info, TICKET_NUMBER are in the millions (both for TICKET_OPENED & TICKET_CLOSED) and the TYPE=EQUIPMENT filter on TICKET_OPENED narrows it to thousands.
Sorry for the long narrative and thank you in advance.
↧