Dashboards & Visualizations

How to Add values properly without loosing _time field

bobbyg
Engager

Hello Splunk Experts,

I am trying to get a dashboard built for our team. basically we have this log (sample below) some values and names changed for security purposes. 

2021-03-11 14:44:52.961, TestName="Callout", Timestamp = "1615491891055", calling_party="2133211234", called_party="3233211234", TestDuration="1000"

2021-03-11 14:44:37.964, TestName="Callin", Timestamp = "1615491871148", calling_party="3233211234", called_party="2133211234", TestDuration="1500"

2021-03-11 14:43:22.957, TestName="Callout", Timestamp = "1615491785132", calling_party="2133211234", called_party="3233211234", TestDuration="1250"

2021-03-11 14:43:07.958, TestName="Callin", Timestamp = "1615491770646", calling_party="3233211234", called_party="2133211234", TestDuration="2000"

2021-03-11 14:42:52.961, TestName="Callout", Timestamp = "1615491764476", calling_party="2133211234", called_party="3233211234", TestDuration="1100"

2021-03-11 14:42:37.959, TestName="Callin", Timestamp = "1615491745672", calling_party="3233211234", called_party="2133211234", TestDuration="1700"

so we have these test cases running all day, above is just a sample.  what we want to do is consolidate the called party and calling party numbers into 1 list lets call that field as telephone_number and then add the test duration together as total for 1day per telephone number.  then compute it how much a specific number is used every day and then chart that in a dashboard (via linechart or something else) showing may expand this to 7days or 30 days broken down by day stats. 

We tried the following but it seems like after the | stats sum, I loose the _time field so the timechart at the end does not work. 

index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| stats sum(TestDuration) as TestDuration by telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| eval Utilization=Utilization + "%"
| Fields - TestDuration
| timechart span=1d avg(Utilization) by telephone_number

 

Thank you for your time and assistance

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| bin span=1d _time
| stats sum(TestDuration) as TestDuration by _time telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| Fields - TestDuration

This will get you the daily utilisation - the timechart with average does not do much since there is only one result per day per number

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| bin span=1d _time
| stats sum(TestDuration) as TestDuration by _time telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| Fields - TestDuration

This will get you the daily utilisation - the timechart with average does not do much since there is only one result per day per number

0 Karma

bobbyg
Engager

Thank you for your reply, sorry it took me a while to respond, got busy the past few days. you got me to where I needed to be to complete the graph, just needed to add timechart at the bottom.  Thank you again. 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...