Hello Everyone,
I have two events which I have uploaded in CSV format and the events will be consistent as below:
**Ticket_Number,Created_Date,Ticket_Status,End_Time**
INABCDEF,07/14/2016 06:36:47 AM,INPROG,07/14/2016 06:47:14 AM
INABCDEF,07/14/2016 06:36:47 AM,RESOLVED,07/14/2016 08:58:25 AM
I was able to find that the duration for the ticket INABCDEF was in INPROG by subtracting End_Time and Created_Date by using eval with strptime.
To find the duration for the ticket with the status RESOLVE, I will need to subtract the End_Time when the Ticket status was RESOLVED from the End_Time when the ticket was INPROG.
i.e Subtract the End_Time of event 2 where status is RESOLVED from the End_Time of event1 where status is INPROG.
I am new to Splunk and I don't know how to subtract field values from two different events. Let me know if anyone knows the answer to this.
↧