Hello Splunk community,
For this dataset :
| Time | Agent | Number of calls taken |
| 11:00 AM | John | 1 |
| 11:00 AM | Kate | 0 |
| 11:00 AM | Eric | 1 |
| 10:00 AM | John | 2 |
| 10:00 AM | Kate | 1 |
| 10:00 AM | Eric | 0 |
| 9:00 AM | John | 0 |
| 9:00 AM | Kate | 1 |
| 9:00 AM | Eric | 1 |
| 8:00 AM | John | 3 |
| 8:00 AM | Kate | 1 |
| 8:00 AM | Eric | 2 |
| 7:00 AM | John | 3 |
| 7:00 AM | Kate | 5 |
| 7:00 AM | Eric | 2 |
| 6:00 AM | John | 2 |
| 6:00 AM | Kate | 3 |
| 6:00 AM | Eric | 0 |
Is it possible to get a moving average for each agent along with the moving average for the total amount of calls in one specific hour and to place this all into a time chart?
this is the Splunk query I'm currently using :
| union [| search <insert index here> AGENT=* | bin _time span=1h | stats count BY _time | trendline wma2(count) AS AverageNumberoftotalcallsperhour |table _time AverageNumberoftotalcallsperhour ]
[| search <insert index here> Agent=Kate| bin _time span=1h | stats count BY _time | trendline wma2count) AS AvgKate |table _time AvgKate ]
[| search<insert index here> Agent=John| bin _time span=1h | stats count BY _time | trendline wma2(count) AS AverageNumberOfCallsPerHourbyJohn |table _time AverageNumberOfCallsPerHourbyJohn ]
[| search<insert index here> Agent=Eric| bin _time span=1h | stats count BY _time | trendline wma2(count) AS AvgEric |table _time AvgEric ]
However, when trying to run the splunk query, the output isn't correct :
| _time | AverageNumberoftotalcallsperhour | AvgKate | AverageNumberOfCallsPerHourbyJohn | AvgEric | | |
| 6:00 AM | 2 | | | | | |
| 7:00 PM | 2 | | | | | |
| 8:00 AM | | 3 | | | | |
| 9:00 AM | | 3 | | | | |
| 10:00 AM | | | 4 | | | |
| 11:00 AM | | | 4 | | | |
Noon | | | | 5 | | |
