Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need "timechart span=1day" for 3 different fields by audio vs video

splunkuseradmin
Path Finder
‎03-18-2019 11:41 AM

Hello everybody,

I would like to come up with a "timechart span=1d" with multiseries mode with audio vs video. below are the fields i have extracted from logs.

callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB
audio 5752 23 4
video 1955 78 12

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2019 12:08 PM

Try like this (update the functions used in timechart per your need)

your base search
| timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS  sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType

The output will have fields like Jabber_for_Mac:audio, Jabber_for_Mac:video...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2019 12:08 PM

Try like this (update the functions used in timechart per your need)

your base search
| timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS  sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType

The output will have fields like Jabber_for_Mac:audio, Jabber_for_Mac:video...

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎03-18-2019 11:46 AM

What search do you have so far? Have you tried something like this?
| timechart span=1d mode(audio) mode(video)

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkuseradmin
Path Finder
‎03-18-2019 12:08 PM

I have below search so far.

cdr_and_cmr_events ( globalCallId_ClusterID="AMR")
| sort 0 + dateTimeConnect | eval durationStr=tostring(duration,"duration")
| stats min(_time) as _time list(callMediaType) as callMediaType list(callingPartyUnicodeLoginUserID) as callingPartyUnicodeLoginUserID list(destDeviceName) as destDeviceName max(_time) as detailLatest list(deviceName) as deviceName list(device_name) as device_name list(device_type) as device_type list(finalCalledPartyUnicodeLoginUserID) as finalCalledPartyUnicodeLoginUserID list(origDeviceName) as origDeviceName list(originalCalledPartyNumber) as originalCalledPartyNumber by globalCallID_callId globalCallID_callManagerId globalCallId_ClusterID
| search device_type=jabber | rename durationStr as duration
| sort 0 - _time

| fields _time callMediaType destDeviceName origDeviceName|stats count(eval(match(destDeviceName,"CSF"))) as "CSFA1" count(eval(match(origDeviceName,"CSF"))) as "CSFB1" count(eval(match(destDeviceName,"TCT"))) as "TCTA1" count(eval(match(origDeviceName,"TCT"))) as "TCTB1" count(eval(match(destDeviceName,"TAB"))) as "TABA1" count(eval(match(origDeviceName,"TAB"))) as "TABB1" by callMediaType
|eval CSF=CSFA1+CSFB1, TCT=TCTA1+TCTB1, TAB=TABA1+TABB1 |rename CSF as Jabber_for_Mac, TCT as Jabber_for_iOS, TAB as Jabber_for_TAB|fields callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...