Activity Feed
- Posted Re: How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-16-2022 04:01 AM
- Posted Re: How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-16-2022 03:02 AM
- Karma Re: How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? for ITWhisperer. 06-16-2022 02:41 AM
- Posted How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-14-2022 03:49 AM
- Tagged How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-14-2022 03:49 AM
- Tagged How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-14-2022 03:49 AM
- Tagged How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-14-2022 03:49 AM
- Tagged How do I Redistribute duration of events when duration > 1h over a timechart with a 1h span? on Dashboards & Visualizations. 06-14-2022 03:49 AM
- Posted How to implement multi language support in custom dashboards? on Dashboards & Visualizations. 03-17-2022 04:01 AM
- Tagged How to implement multi language support in custom dashboards? on Dashboards & Visualizations. 03-17-2022 04:01 AM
- Tagged How to implement multi language support in custom dashboards? on Dashboards & Visualizations. 03-17-2022 04:01 AM
- Tagged How to implement multi language support in custom dashboards? on Dashboards & Visualizations. 03-17-2022 04:01 AM
- Posted Re: Filtering a timechart on time to remove unwanted data on Splunk Search. 10-18-2021 03:44 AM
- Posted Re: Filtering a timechart on time to remove unwanted data on Splunk Search. 10-18-2021 02:03 AM
- Posted Re: Filtering a timechart on time to remove unwanted data on Splunk Search. 10-18-2021 01:52 AM
- Posted Filtering a timechart on time to remove unwanted data on Splunk Search. 09-21-2021 10:30 AM
- Tagged Filtering a timechart on time to remove unwanted data on Splunk Search. 09-21-2021 10:30 AM
- Tagged Filtering a timechart on time to remove unwanted data on Splunk Search. 09-21-2021 10:30 AM
- Tagged Filtering a timechart on time to remove unwanted data on Splunk Search. 09-21-2021 10:30 AM
- Posted Re: Manipulating time token with a comparison in dashboard on Dashboards & Visualizations. 06-16-2021 08:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-16-2022
04:01 AM
You're absolutely right. I didn't pay attention to that as I was using a table afterwards and wanted to see Old and new Duration calculation side by side. But your code is not touching duration until the case condition so it's irrelevant to store old duration.
... View more
06-16-2022
03:02 AM
Thanks a lot ! I just noticed one thing in your solution which is that I got issues with situations where there is a Duration < 3600 and the event is not "overflowing" on the next hour. I added OldDuration field to keep a trace of the original even duration and put a table command to display the data after your proposition and noticed that the issue was happening for durations on a single line with the field "hours" = "-1" So I just modified this way : | eval Duration=case(hours=-1,OldDuration,row==0,remaining,row==maxrow,last,1==1,3600) I think it is correct because it happens when Duration - Remaining time (in the current hour) is negative which makes sense. Anyway thanks a lot !
... View more
06-14-2022
03:49 AM
Hello,
First of all, sorry for my lack of knowledge if my question looks silly.
I have a datasource providing events as follows :
State Start Timestamp / UserName / StateName / Duration of the State in seconds / State End Timestamp
I'm trying to produce a timechart that is showing the duration in each state for each user with a 1h span so that we could see clearly the time spent in each state by the users for each hour of the day.
The issue is that a user can start a state at a given time and have a duration bigger than 1h.
For exemple, a user logs in and is available at 8:32 and it stays in "available" state during 2h.
What I get so far with a basic timechart span=1h of the states by user :
2h in 8h span
nothing in 9h span
nothing in 10h span
I would need to manipulate the query or the events in a way that will make the timechart report in this example :
28 min in 8h span
1 hour in 9h span
32 min in 10h span
as the state lasted between 8h32 and 10h32.
Here's my query today :
| eval AvailableDuration = if(State="Available",Duration,0)
| eval BusyDuration = if(State="Busy",Duration,0)
| eval CallDuration = if(State="In Call",Duration,0)
| timechart span=1h fixedrange=false useother=f limit=0
sum(CallDuration) as "In call"
sum(AvailableDuration) as "available"
sum(BusyDuration) as "Busy"
by UserName
Is there a way to redistribute the durations by manipulating data so that each hourly span is properly populated ?
Thanks in advance for your help !
... View more
Labels
- Labels:
-
Dashboard Studio
-
timechart
03-17-2022
04:01 AM
Hi there,
I have created a dozen of statistics dashboard with search / filtering and drilldown for customers using a production voice platform.
Each of those dashboards includes multiple panels, each delivering 10+ metrics which are consistent in naming accross the different dashboards.
Just for the example there can be "Offered calls" "picked up calls" "lost calls" "waiting time"....etc.
Those reports are today in french with rename commands in the query so that it looks nice reading the data for the french users as the source is in english.
I'd like to have those dashboards to be available in other languages, so there is the basic option to clone all those reports and suffix their names with a language code but that would be tedious and would not offer some dynamic option for users to switch language.
I would like to have some dynamic option using a language input form or detecting language of the Splunk user so that all the fields / metrics used in those dashboard are being translated.
Basically have a translation table I could maintain while new fields / metrics are added and new language is required.
Is that something possible ?
I couldn't find the beginning of an idea of how to achieve this frankly.
... View more
Labels
- Labels:
-
Dashboard Studio
10-18-2021
03:44 AM
Well, I did your query with time range = beginning of the week and I get a lot of empty rows. Then I modified your proposition with a WHEN condition on _time and this stripped all the unwanted values from the timechart (and I'm not talking about the visualisation) : | gentimes start=-1 increment=1h
| rename starttime as _time
| streamstats count as row
| timechart values(row)
| where _time < strptime("2021-10-18 00:10:00","%Y-%m-%d %H:%M:%S.%Q") So I'm not sure I get your point. I know the timechart will be done on the whole time period, my question is exactly about removing data from a timechart result before visualising the results.
... View more
10-18-2021
02:03 AM
Hi, I'm not sure I agree with this, I think the Timechart is built out of the search result i.e. the table of results produced by the query. The query itself will use the set of data covered by the earliest / latest set in the visualisation panel. But controlling the content of this output table will control the drawing of the timechart. I found the solution actually and this was about adding before my final WHERE condition the addinfo + the calculation of end / beginning again : | addinfo
| eval end=if(info_max_time=="+Infinity",now(),info_max_time)-432000
| eval beginning=if(info_min_time=="0.000",1604260193,info_min_time)+432000
| where _time >= beginning and _time <= end
| fields _time Décrochés Reçus
... View more
10-18-2021
01:52 AM
Hello, thanks for taking time to look at it. It's actually a big dashboard where the users can select time range. The goal of the stats then is to show number of calls arrived and also picked up within that range (among other metrics). Issue is that _time used by the search is only based on time of arrival of the call. So in the XML of the dashboard I'm doing+432000 to latest and -432000 to earliest stored in specific tokens that are being used by the search. Then inside the search query I'm removing those offsets to reduce the time period to what the user initially selected for the calculation of the metrics. So I'm volontarily taking a wider time period for the search so I can get for example calls that arrived before the time period selected but picked within the time period. I actually changed a bit my query since then to do that in 2 steps with an appendcols in the middle, and having first query calculating offered calls doing a _time = OfferedTime and then a second one calculating picked up calls with a _time = PickedUpTime.
... View more
09-21-2021
10:30 AM
Hello, I'm building some dashboard statistics from telecom data. I have a data source as follows : _time OfferedTime PickedUpTime Offered="0/1" Handled="0/1" _time is populated with OfferedTime User can use a Time picker that is generating a token. I'm manipulating this token by going 5 days in the past for earliest and 5 days in the future for latest in dashboard to get a wider data set than the one selected by the user. And then using variables in the search to restore time boundaries to initial selection that I use for some specific calculation (not shown in the code sample). I'm trying to Timechart some metrics and to remove all data that is out of the time range initially selected by the user : [MYSEARCH]
| addinfo
| eval end=if(info_max_time=="+Infinity",now(),info_max_time)-432000
| eval beginning=if(info_min_time=="0.000",1604260193,info_min_time)+432000
| eval DateBegin = beginning
| eval DateEnd = end
| eval FormatTime = _time
| timechart
count(eval(if(strptime(OfferedTime,"%Y-%m-%d %H:%M:%S.%Q") > beginning and strptime(OfferedTime,"%Y-%m-%d %H:%M:%S.%Q") < end,Offered,null()))) as OfferedCalls
count(eval(if(Handled="1" AND strptime(PickedUpTime,"%Y-%m-%d %H:%M:%S.%Q") > beginning and strptime(PickedUpTime,"%Y-%m-%d %H:%M:%S.%Q") < end AND BindType_ID!=4 AND BindType_ID!=5,Handled,null()))) as HandledCalls
| where _time > beginning and _time < end I added DateBegin / DateEnd / FormatTime as I wanted to make sure in events tab that my dates had the correct format and could be compared. _time OfferedTime DateBegin DateEnd FormatTime 21/09/2021 18:24:54,000 2021-09-21 18:24:54.0 1630926000.000 1632223379.000 1632241494.000 The result of this search is ... no results found. If I go to events tab, copy the DateBegin and DateEnd and change my search to : | where _time > 1630926000.000 and _time < 1632223379.000 It works fine and I get the expected result... I don't understand why... If I don't put where condition at the end I get this result : _time OfferedCalls HandledCalls 2021-09-04 0 0 2021-09-05 0 0 2021-09-06 156 115 2021-09-07 215 174 2021-09-08 280 217 2021-09-09 227 176 2021-09-10 223 184 2021-09-11 0 0 2021-09-12 0 0 2021-09-13 336 254 2021-09-14 285 220 2021-09-15 228 172 2021-09-16 243 177 2021-09-17 273 197 2021-09-18 0 0 What I'm trying to get is : _time OfferedCalls HandledCalls 2021-09-06 156 115 2021-09-07 215 174 2021-09-08 280 217 2021-09-09 227 176 2021-09-10 223 184 2021-09-11 0 0 2021-09-12 0 0 2021-09-13 336 254 2021-09-14 285 220 2021-09-15 228 172 2021-09-16 243 177 2021-09-17 273 197 Basically getting rid of the data before / after my date range (beginning / end) without losing the 0 values which are inside the time range. I tried to play with various functions to replace 0 with NULL outside the range but couldn't manage to have this apply only outside my time range,. If anybody has an idea on how to solve this issue that would be great. Thanks in advance !
... View more
Labels
- Labels:
-
timechart
06-16-2021
08:08 AM
Thank you so much ! Quite simple and elegant and it gave me headaches for 2 days 😉 Any idea why I couldn't make some simple numeric comparison / evaluation in my XML ?
... View more
06-16-2021
03:13 AM
Hi there, I'm quite new to Splunk so sorry in advance if I'm asking a silly question. I'm trying to modify token selected by user with time picker earliest / latest to have -5 days / +5 days that I'm then using in epoch format in my search combined with info-min-time / info_max_time. So far, following other topics and knowledge base I've been able to get it down, except when the user selects "All time" in time picker which ends up having a earliest token with a negative value. I'm doing the following at the beginning of my dashboard and then using TimeRange.earliest_epoch / TimeRange.latest_epoch in my panels. <input type="time" token="TimeRange">
<label>TimeRange</label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
<change>
<eval token="TimeRange.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')-432000</eval>
<eval token="TimeRange.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')+432000</eval>
</change>
</input> I added a table panel to display the values of the tokens to see what's happening exactly : <row>
<panel>
<table>
<title>testDates</title>
<search>
<query>| makeresults
| eval StartTimestamp0="$TimeRange.earliest$"
| eval StartTimestamp1=$TimeRange.earliest_epoch$
| eval starttime=strftime(StartTimestamp1,"%Y-%m-%d %H:%M:%S.%Q")</query>
<earliest>$TimeRange.earliest$</earliest>
<latest>$TimeRange.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row> No surprise, when selecting "All time" it gave me : StartTimestamp0 = 0 StartTimestamp1 = -432000 Which is making my subsequent searchs in panels to fail. I don't manage to catch the case where earliest = 0 before assigning value to TimeRange.earliest_epoch or check if second token equals -432000 to assign a different value (1514764800 in this case as this is a safe old date for my dataset). All my attempts failed, such as adding a second token where I checked if equal -432000 or below 0 : <eval token="TimeRange.earliest_epoch2">if('TimeRange.earliest_epoch'=='-432000','1514764800','TimeRange.earliest_epoch')</eval> or <eval token="TimeRange.earliest_epoch2">if('TimeRange.earliest_epoch'<'0','1514764800','TimeRange.earliest_epoch')</eval> The second token kept the value of TimeRange.earliest_epoch. I added an imbricated if condition in the first token eval and again it looks like it goes to else case everytime. Can you please help me understand what is failing ? Thanks in advance !
... View more
Labels
- Labels:
-
token
