1. How to get total sum of call_Duration of time for all call_Name mentioned below in splunk from ms to seconds with below details
call_Name=A
call_Duration=501
call_Name=B
call_Duration=2456
call_Name=C
call_Duration=1115
call_Name=D
call_Duration=1598
cal_Name=E
call_Duration=1621
And also I have another column (column name is E2E time) which is total 17.677 seconds
2. Need help in calculating total time difference for total E2E Time - call_Duration
|makeresults | eval _raw="
call_Name call_Duration E2E
A 501 17.677
B 2456 17.677
C 1115 17.677
D 1598 17.677
E 1621 17.677"
| multikv forceheader=1
| fields - linecount _*
| eval call_Duration = call_Duration / 1000
| stats sum(call_Duration) AS call_Duration sum(E2E) AS E2E sum(eval(call_Duration - E2E)) AS sum_diff BY call_Name
|makeresults | eval _raw="
call_Name call_Duration E2E
A 501 17.677
B 2456 17.677
C 1115 17.677
D 1598 17.677
E 1621 17.677"
| multikv forceheader=1
| fields - linecount _*
| eval call_Duration = call_Duration / 1000
| stats sum(call_Duration) AS call_Duration sum(E2E) AS E2E sum(eval(call_Duration - E2E)) AS sum_diff BY call_Name
Thanks. seeing error in make results command
Just cut it and paste it and run it AS-IS. Do not modify anything at first.
hi @monicateja,
Try this if you need to find the sum and difference by call_Name:
index=indexname sourcetype=sourcetypename
| stats sum(call_Duration_sec) as call_Duration_sec, sum(E2E_time_sec) as E2E_time_sec by call_Name
| eval time_diff=E2E_time_sec-call_Duration_sec
or this if you need the total sum for all the call_names:
index=indexname sourcetype=sourcetypename
| stats sum(call_Duration_sec) as call_Duration_sec, sum(E2E_time_sec) as E2E_time_sec
| eval time_diff=E2E_time_sec-call_Duration_sec
Hi @monicateja
I'm not sure how your raw events look but hopefully this run anywhere example helps you...
| makeresults
| eval _raw="call_Name,call_Duration
A,501
B,2456
C,1115
D,1598
E,1621"
| multikv forceheader=1
| eval E2E_time_sec="17.677"
``` above just creates dummy data ```
``` add the following to your search ```
| eval call_Duration_sec=(call_Duration/1000) ``` convert milli seconds to seconds ```
| addcoltotals call_Duration_sec ``` sum call durations ```
| table call_Name call_Duration_sec E2E_time_sec
| filldown E2E_time_sec
| eval time_diff_sec=(E2E_time_sec - call_Duration_sec) ``` time diff call durations to E2E time ```
Hope this helps