index=_* OR index=* sourcetype=Kamailio BC="Current Billable Calls Count:" | rex field=_raw "Count:(?<Billablecalls>.*)" | timechart max(Billablecalls)
index=_* OR index=* sourcetype=Kamailio NBC="Current NON-Billable Calls Count:" | rex field=_raw "Calls Count:(?<NonBillableCalls>.*)" | timechart max(NonBillableCalls)
index=_* OR index=* sourcetype=Kamailio CAIB="Current Active Inbound Calls:" | rex field=_raw "Calls: (?<Inboundcalls>.*)" | timechart max(Inboundcalls)
The above three are separate searches but I would like to combine them and plot over a single Calls against Time chart. Is there any viable solution for this?
Any degree of help will be appreciated.
Yes. The timechart will have produced a table which the graph is just a visualisation of. You can eval a total field as being the sum of the three fields you already have. You can then adjust the visualisation to add an overlay specifying the total field you just created
I did,
| eval totalCount = 'in_calls' + 'nb_calls' + 'b_calls' | table _time totalCalls
and displayed the total result.
Thanks a bunch, cheers!
You don't need the table _time totalCalls at the end, the extra field is in the table, just adjust the chart format
It is not possible to tell from the information you have given. For example, it you combined billable call and non-billable calls, your rex expression as it stands could give you the wrong values. You should probably modify these so that each one would only work on the relevant events and not match for the irrelevant events. You would have to either share examples of all the event you are dealing with or work that out yourself.
Thanks for the reply, I figured that out myself by using appendcols command but now my concern is, is there a way to calculate the total number at a given instant using multi-line graphs and also plot that on the same multi-line graph?
I've attached a screenshot of what I've achieved so far, hope it can give you an idea
Yes. The timechart will have produced a table which the graph is just a visualisation of. You can eval a total field as being the sum of the three fields you already have. You can then adjust the visualisation to add an overlay specifying the total field you just created