Splunk Search

Need "timechart span=1day" for 3 different fields by audio vs video

splunkuseradmin
Path Finder

Hello everybody,

I would like to come up with a "timechart span=1d" with multiseries mode with audio vs video. below are the fields i have extracted from logs.

callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB
audio 5752 23 4
video 1955 78 12

Thanks,

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this (update the functions used in timechart per your need)

your base search
| timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS  sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType

The output will have fields like Jabber_for_Mac:audio, Jabber_for_Mac:video...

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this (update the functions used in timechart per your need)

your base search
| timechart span=1d sum(Jabber_for_Mac) as Jabber_for_Mac sum(Jabber_for_iOS) as Jabber_for_iOS  sum(Jabber_for_TAB) as Jabber_for_TAB by callMediaType

The output will have fields like Jabber_for_Mac:audio, Jabber_for_Mac:video...

0 Karma

efavreau
Motivator

What search do you have so far? Have you tried something like this?
| timechart span=1d mode(audio) mode(video)

###

If this reply helps you, an upvote would be appreciated.
0 Karma

splunkuseradmin
Path Finder

I have below search so far.

cdr_and_cmr_events ( globalCallId_ClusterID="AMR")
| sort 0 + dateTimeConnect | eval durationStr=tostring(duration,"duration")
| stats min(_time) as _time list(callMediaType) as callMediaType list(callingPartyUnicodeLoginUserID) as callingPartyUnicodeLoginUserID list(destDeviceName) as destDeviceName max(_time) as detailLatest list(deviceName) as deviceName list(device_name) as device_name list(device_type) as device_type list(finalCalledPartyUnicodeLoginUserID) as finalCalledPartyUnicodeLoginUserID list(origDeviceName) as origDeviceName list(originalCalledPartyNumber) as originalCalledPartyNumber by globalCallID_callId globalCallID_callManagerId globalCallId_ClusterID
| search device_type=jabber | rename durationStr as duration
| sort 0 - _time

| fields _time callMediaType destDeviceName origDeviceName|stats count(eval(match(destDeviceName,"CSF"))) as "CSFA1" count(eval(match(origDeviceName,"CSF"))) as "CSFB1" count(eval(match(destDeviceName,"TCT"))) as "TCTA1" count(eval(match(origDeviceName,"TCT"))) as "TCTB1" count(eval(match(destDeviceName,"TAB"))) as "TABA1" count(eval(match(origDeviceName,"TAB"))) as "TABB1" by callMediaType
|eval CSF=CSFA1+CSFB1, TCT=TCTA1+TCTB1, TAB=TABA1+TABB1 |rename CSF as Jabber_for_Mac, TCT as Jabber_for_iOS, TAB as Jabber_for_TAB|fields callMediaType Jabber_for_Mac Jabber_for_iOS Jabber_for_TAB

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...