Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Add values properly without loosing _time field

bobbyg
Engager
‎03-11-2021 12:47 PM

Hello Splunk Experts,

I am trying to get a dashboard built for our team. basically we have this log (sample below) some values and names changed for security purposes. 

2021-03-11 14:44:52.961, TestName="Callout", Timestamp = "1615491891055", calling_party="2133211234", called_party="3233211234", TestDuration="1000"

2021-03-11 14:44:37.964, TestName="Callin", Timestamp = "1615491871148", calling_party="3233211234", called_party="2133211234", TestDuration="1500"

2021-03-11 14:43:22.957, TestName="Callout", Timestamp = "1615491785132", calling_party="2133211234", called_party="3233211234", TestDuration="1250"

2021-03-11 14:43:07.958, TestName="Callin", Timestamp = "1615491770646", calling_party="3233211234", called_party="2133211234", TestDuration="2000"

2021-03-11 14:42:52.961, TestName="Callout", Timestamp = "1615491764476", calling_party="2133211234", called_party="3233211234", TestDuration="1100"

2021-03-11 14:42:37.959, TestName="Callin", Timestamp = "1615491745672", calling_party="3233211234", called_party="2133211234", TestDuration="1700"

so we have these test cases running all day, above is just a sample.  what we want to do is consolidate the called party and calling party numbers into 1 list lets call that field as telephone_number and then add the test duration together as total for 1day per telephone number.  then compute it how much a specific number is used every day and then chart that in a dashboard (via linechart or something else) showing may expand this to 7days or 30 days broken down by day stats. 

We tried the following but it seems like after the | stats sum, I loose the _time field so the timechart at the end does not work. 

index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| stats sum(TestDuration) as TestDuration by telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| eval Utilization=Utilization + "%"
| Fields - TestDuration
| timechart span=1d avg(Utilization) by telephone_number

 

Thank you for your time and assistance

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2021 01:50 PM 
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| bin span=1d _time
| stats sum(TestDuration) as TestDuration by _time telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| Fields - TestDuration

This will get you the daily utilisation - the timechart with average does not do much since there is only one result per day per number

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2021 01:50 PM 
index=tester_main sourcetype=test_main (calling_party=* OR called_party=*)
| eval telephone_number=mvappend(calling_party, called_party)
| mvexpand telephone_number
| bin span=1d _time
| stats sum(TestDuration) as TestDuration by _time telephone_number
| eval TestDuration='TestDuration'/1000
| eval Utilization=round(((TestDuration/86400)*100),1)
| eval Utilization=if(Utilization >100, 100, Utilization)
| Fields - TestDuration

This will get you the daily utilisation - the timechart with average does not do much since there is only one result per day per number

0 Karma
Reply
Solved! Jump to solution

bobbyg
Engager
‎03-17-2021 02:27 PM

Thank you for your reply, sorry it took me a while to respond, got busy the past few days. you got me to where I needed to be to complete the graph, just needed to add timechart at the bottom.  Thank you again. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...