Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need "timechart span=1day" for 3 different fields by audio vs video

splunkuseradmin
Path Finder
‎03-18-2019 11:41 AM

Hello everybody,

I would like to come up with a "timechart span=1d" with multiseries mode with audio vs video. below are the fields i have extracted from logs.

callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB
audio 5752 23 4
video 1955 78 12

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2019 12:08 PM

Try like this (update the functions used in timechart per your need)

your base search
| timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS  sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType

The output will have fields like Jabber_for_Mac:audio, Jabber_for_Mac:video...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2019 12:08 PM

Try like this (update the functions used in timechart per your need)

your base search
| timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS  sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType

The output will have fields like Jabber_for_Mac:audio, Jabber_for_Mac:video...

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎03-18-2019 11:46 AM

What search do you have so far? Have you tried something like this?
| timechart span=1d mode(audio) mode(video)

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkuseradmin
Path Finder
‎03-18-2019 12:08 PM

I have below search so far.

cdr_and_cmr_events ( globalCallId_ClusterID="AMR")
| sort 0 + dateTimeConnect | eval durationStr=tostring(duration,"duration")
| stats min(_time) as _time list(callMediaType) as callMediaType list(callingPartyUnicodeLoginUserID) as callingPartyUnicodeLoginUserID list(destDeviceName) as destDeviceName max(_time) as detailLatest list(deviceName) as deviceName list(device_name) as device_name list(device_type) as device_type list(finalCalledPartyUnicodeLoginUserID) as finalCalledPartyUnicodeLoginUserID list(origDeviceName) as origDeviceName list(originalCalledPartyNumber) as originalCalledPartyNumber by globalCallID_callId globalCallID_callManagerId globalCallId_ClusterID
| search device_type=jabber | rename durationStr as duration
| sort 0 - _time

| fields _time callMediaType destDeviceName origDeviceName|stats count(eval(match(destDeviceName,"CSF"))) as "CSFA1" count(eval(match(origDeviceName,"CSF"))) as "CSFB1" count(eval(match(destDeviceName,"TCT"))) as "TCTA1" count(eval(match(origDeviceName,"TCT"))) as "TCTB1" count(eval(match(destDeviceName,"TAB"))) as "TABA1" count(eval(match(origDeviceName,"TAB"))) as "TABB1" by callMediaType
|eval CSF=CSFA1+CSFB1, TCT=TCTA1+TCTB1, TAB=TABA1+TABB1 |rename CSF as Jabber_for_Mac, TCT as Jabber_for_iOS, TAB as Jabber_for_TAB|fields callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...