I'm trying to manipulate some data from our incident management software to calculate the amount of time an incident spends in a particular status (Open, Assigned, Work in Progress, Resolved, Pending, Closed). I've started with a search along these lines to calculate epoch time from the update time and then sort and streamstats to calculate the delta. At the end, I'm trying to lump them back in as a transaction but for some reason it fails
index=Incidents | eval timey=strptime(UpdateTime,"%Y-%m-%d %H:%M:%S") | reverse | table Incident UpdateTime Status AssignmentGroup timey | sort -Incident | streamstats window=2 last(timey) as t1,first(timey) as t2 BY Incident reset_on_change=true | eval timediff=round((t1-t2)/60,2) |fields - timey t1 t2 |rename timediff AS "Duration(minutes)"
resulting in something like this:
![alt text][1]
But when I modify it to this so that I put the records into a transaction by Incident:
index=Incidents | eval timey=strptime(UpdateTime,"%Y-%m-%d %H:%M:%S") | reverse | table Incident UpdateTime Status AssignmentGroup timey | sort -Incident | streamstats window=2 last(timey) as t1,first(timey) as t2 BY Incident reset_on_change=true | eval timediff=round((t1-t2)/60,2) |fields - timey t1 t2 |reverse | transaction Incident | table Incident UpdateTime Status AssignmentGroup timediff |rename timediff AS "Duration(minutes)"
I get a no results found
![alt text][2]
Any ideas on what I might be missing? Is there a restriction to transaction that might be preventing this? Thanks!
[1]: /storage/temp/170217-capture2.png
[2]: /storage/temp/170216-capture.png
↧