https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448743#M172394 <P>Try like this (update the functions used in timechart per your need)</P> <PRE><CODE>your base search | timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType </CODE></PRE> <P>The output will have fields like <CODE>Jabber_for_Mac:audio</CODE>, <CODE>Jabber_for_Mac:video</CODE>...</P> Mon, 18 Mar 2019 19:08:49 GMT somesoni2 2019-03-18T19:08:49Z https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448740#M172391 <P>Hello everybody,</P> <P>I would like to come up with a "timechart span=1d" with multiseries mode with audio vs video. below are the fields i have extracted from logs.</P> <P>callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB<BR /> audio 5752 23 4<BR /> video 1955 78 12</P> <P>Thanks,</P> Tue, 29 Sep 2020 23:45:34 GMT https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448740#M172391 splunkuseradmin 2020-09-29T23:45:34Z https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448741#M172392 <P>What search do you have so far? Have you tried something like this?<BR /> | timechart span=1d mode(audio) mode(video)</P> Mon, 18 Mar 2019 18:46:27 GMT https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448741#M172392 efavreau 2019-03-18T18:46:27Z https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448742#M172393 <P>I have below search so far.</P> <P><CODE>cdr_and_cmr_events</CODE> ( globalCallId_ClusterID="<EM>AMR</EM>")<BR /> | sort 0 + dateTimeConnect | eval durationStr=tostring(duration,"duration") <BR /> | stats min(_time) as _time list(callMediaType) as callMediaType list(callingPartyUnicodeLoginUserID) as callingPartyUnicodeLoginUserID list(destDeviceName) as destDeviceName max(_time) as detailLatest list(deviceName) as deviceName list(device_name) as device_name list(device_type) as device_type list(finalCalledPartyUnicodeLoginUserID) as finalCalledPartyUnicodeLoginUserID list(origDeviceName) as origDeviceName list(originalCalledPartyNumber) as originalCalledPartyNumber by globalCallID_callId globalCallID_callManagerId globalCallId_ClusterID <BR /> | search device_type=jabber | rename durationStr as duration<BR /> | sort 0 - _time<BR /><BR /> | fields _time callMediaType destDeviceName origDeviceName|stats count(eval(match(destDeviceName,"CSF"))) as "CSFA1" count(eval(match(origDeviceName,"CSF"))) as "CSFB1" count(eval(match(destDeviceName,"TCT"))) as "TCTA1" count(eval(match(origDeviceName,"TCT"))) as "TCTB1" count(eval(match(destDeviceName,"TAB"))) as "TABA1" count(eval(match(origDeviceName,"TAB"))) as "TABB1" by callMediaType<BR /> |eval CSF=CSFA1+CSFB1, TCT=TCTA1+TCTB1, TAB=TABA1+TABB1 |rename CSF as Jabber_for_Mac, TCT as Jabber_for_iOS, TAB as Jabber_for_TAB|fields callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB</P> Tue, 29 Sep 2020 23:45:39 GMT https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448742#M172393 splunkuseradmin 2020-09-29T23:45:39Z https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448743#M172394 <P>Try like this (update the functions used in timechart per your need)</P> <PRE><CODE>your base search | timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType </CODE></PRE> <P>The output will have fields like <CODE>Jabber_for_Mac:audio</CODE>, <CODE>Jabber_for_Mac:video</CODE>...</P> Mon, 18 Mar 2019 19:08:49 GMT https://community.splunk.com/t5/Splunk-Search/Need-quot-timechart-span-1day-quot-for-3-different-fields-by/m-p/448743#M172394 somesoni2 2019-03-18T19:08:49Z