Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Individual results for stats in a chart.

StuReeves
Explorer
‎04-28-2017 03:26 AM

I'm pretty sure this is going to be very obvious but it's one of those days again.

I've a field Duration_Seconds to establish length of calls going through the system. I'm trying to display say the top 20 longest calls, however, whatever I try, it basis the results on total count, not length.

So even if I have a hundred calls at 30 seconds long that's not what I'm after, I,m after the individual call at 12257 seconds, 10545 seconds, 10140 seconds etc. However, if I have 5 calls at 900 seconds, I still need to see those as separate instances.

Does that make sense?

The search I'm using is:

host=*|search Code_Dialled=9 Duration_Seconds=* |sort - "Duration_Seconds"

which gives me it as a search, it's the last bit I'm stumped on.

Thanks again,
Stu..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

StuReeves
Explorer
‎04-28-2017 05:01 AM

Hi thanks for getting back. It gives pretty much what i already have. The issue is when I try and chart it say using top 100 "Call_Duration" it goes back to giving me the top number by count, so I have 5 calls at 425 seconds as my number one in the chart. I'd ideally like to show say the top 20 / 50, so if I have 5 calls all at 999, they are all shown as individual calls.
So if I search it give me the below, which is perfect.

alt text

But what I actually get using, say Top 20.... is
alt text

Hopefully this makes a little more sense

View solution in original post

Preview file
19 KB
Preview file
19 KB
0 Karma
Reply
Solved! Jump to solution
Solution

StuReeves
Explorer
‎04-28-2017 05:01 AM

Hi thanks for getting back. It gives pretty much what i already have. The issue is when I try and chart it say using top 100 "Call_Duration" it goes back to giving me the top number by count, so I have 5 calls at 425 seconds as my number one in the chart. I'd ideally like to show say the top 20 / 50, so if I have 5 calls all at 999, they are all shown as individual calls.
So if I search it give me the below, which is perfect.

alt text

But what I actually get using, say Top 20.... is
alt text

Hopefully this makes a little more sense

Preview file
19 KB
Preview file
19 KB
0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎04-28-2017 05:54 AM

First, when responding to an answer, it is best to put your response as a comment to the answer and not a new answer. Use the "Add comment" link below the answer to do this.

Regarding your question. What do you want on the x-axis of the chart? Do you want time? If not, please clarify.

0 Karma
Reply
Solved! Jump to solution

StuReeves
Explorer
‎04-28-2017 06:11 AM

Ooops sorry about that.

Good point on the X axis never thought about that.
It would be a field called Called_Number (not shown on the sample)

So X would be the number they dialled and Y would be the amount of time they spent on that (long) call.

Thanks again,

Stu..

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎04-28-2017 06:16 AM

Then try this search.

host=* Code_Dialled=9 Duration_Seconds=* | sort 20 -"Duration_Seconds | table "Called_Number" "Duration_Seconds"

And play with that in the Search app where you can choose a Column chart.

0 Karma
Reply
Solved! Jump to solution

StuReeves
Explorer
‎04-28-2017 06:24 AM

Brilliant thanks. It needs a little tweaking ( more cosmetic than anything else) but it's sent me down the right path.

I can normally brute force my way when learning new systems, but it's nice to have help when you need it and coming from a non-db / programming backgrounding, this forum is a great help thanks to the contribrutors.

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎04-28-2017 04:10 AM

This is what I think you want. Note, your search pipeline segment should be moved to the first part of the query. Here is what i mean.

host=* Code_Dialled=9 Duration_Seconds=* | sort 20 -"Duration_Seconds"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...