Hello Splunk Experts,
I am trying to get a dashboard built for our team. basically we have this log (sample below) some values and names changed for security purposes.
2021-03-11 14:44:52.961, TestName="Callout", Timestamp = "1615491891055", calling_party="2133211234", called_party="3233211234", TestDuration="1000"
2021-03-11 14:44:37.964, TestName="Callin", Timestamp = "1615491871148", calling_party="3233211234", called_party="2133211234", TestDuration="1500"
2021-03-11 14:43:22.957, TestName="Callout", Timestamp = "1615491785132", calling_party="2133211234", called_party="3233211234", TestDuration="1250"
2021-03-11 14:43:07.958, TestName="Callin", Timestamp = "1615491770646", calling_party="3233211234", called_party="2133211234", TestDuration="2000"
2021-03-11 14:42:52.961, TestName="Callout", Timestamp = "1615491764476", calling_party="2133211234", called_party="3233211234", TestDuration="1100"
2021-03-11 14:42:37.959, TestName="Callin", Timestamp = "1615491745672", calling_party="3233211234", called_party="2133211234", TestDuration="1700"
so we have these test cases running all day, above is just a sample. what we want to do is consolidate the called party and calling party numbers into 1 list lets call that field as telephone_number and then add the test duration together as total for 1day per telephone number. then compute it how much a specific number is used every day and then chart that in a dashboard (via linechart or something else) showing may expand this to 7days or 30 days broken down by day stats.
We tried the following but it seems like after the | stats sum, I loose the _time field so the timechart at the end does not work.
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| stats sum(TestDuration) as TestDuration by telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| eval Utilization=Utilization + "%"
| Fields - TestDuration
| timechart span=1d avg(Utilization) by telephone_number
Thank you for your time and assistance
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| bin span=1d _time
| stats sum(TestDuration) as TestDuration by _time telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| Fields - TestDurationThis will get you the daily utilisation - the timechart with average does not do much since there is only one result per day per number
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| bin span=1d _time
| stats sum(TestDuration) as TestDuration by _time telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| Fields - TestDurationThis will get you the daily utilisation - the timechart with average does not do much since there is only one result per day per number
Thank you for your reply, sorry it took me a while to respond, got busy the past few days. you got me to where I needed to be to complete the graph, just needed to add timechart at the bottom. Thank you again.