Splunk Search

Individual results for stats in a chart.

StuReeves
Explorer

I'm pretty sure this is going to be very obvious but it's one of those days again.

I've a field Duration_Seconds to establish length of calls going through the system. I'm trying to display say the top 20 longest calls, however, whatever I try, it basis the results on total count, not length.

So even if I have a hundred calls at 30 seconds long that's not what I'm after, I,m after the individual call at 12257 seconds, 10545 seconds, 10140 seconds etc. However, if I have 5 calls at 900 seconds, I still need to see those as separate instances.

Does that make sense?

The search I'm using is:

host=*|search Code_Dialled=9 Duration_Seconds=* |sort - "Duration_Seconds"

which gives me it as a search, it's the last bit I'm stumped on.

Thanks again,
Stu..

0 Karma
1 Solution

StuReeves
Explorer

Hi thanks for getting back. It gives pretty much what i already have. The issue is when I try and chart it say using top 100 "Call_Duration" it goes back to giving me the top number by count, so I have 5 calls at 425 seconds as my number one in the chart. I'd ideally like to show say the top 20 / 50, so if I have 5 calls all at 999, they are all shown as individual calls.
So if I search it give me the below, which is perfect.

alt text

But what I actually get using, say Top 20.... is
alt text

Hopefully this makes a little more sense

View solution in original post

0 Karma

StuReeves
Explorer

Hi thanks for getting back. It gives pretty much what i already have. The issue is when I try and chart it say using top 100 "Call_Duration" it goes back to giving me the top number by count, so I have 5 calls at 425 seconds as my number one in the chart. I'd ideally like to show say the top 20 / 50, so if I have 5 calls all at 999, they are all shown as individual calls.
So if I search it give me the below, which is perfect.

alt text

But what I actually get using, say Top 20.... is
alt text

Hopefully this makes a little more sense

0 Karma

rjthibod
Champion

First, when responding to an answer, it is best to put your response as a comment to the answer and not a new answer. Use the "Add comment" link below the answer to do this.

Regarding your question. What do you want on the x-axis of the chart? Do you want time? If not, please clarify.

0 Karma

StuReeves
Explorer

Ooops sorry about that.

Good point on the X axis never thought about that.
It would be a field called Called_Number (not shown on the sample)

So X would be the number they dialled and Y would be the amount of time they spent on that (long) call.

Thanks again,

Stu..

0 Karma

rjthibod
Champion

Then try this search.

host=* Code_Dialled=9 Duration_Seconds=* | sort 20 -"Duration_Seconds | table "Called_Number" "Duration_Seconds"

And play with that in the Search app where you can choose a Column chart.

0 Karma

StuReeves
Explorer

Brilliant thanks. It needs a little tweaking ( more cosmetic than anything else) but it's sent me down the right path.

I can normally brute force my way when learning new systems, but it's nice to have help when you need it and coming from a non-db / programming backgrounding, this forum is a great help thanks to the contribrutors.

0 Karma

rjthibod
Champion

This is what I think you want. Note, your search pipeline segment should be moved to the first part of the query. Here is what i mean.

host=* Code_Dialled=9 Duration_Seconds=* | sort 20 -"Duration_Seconds"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...