Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i set different timeline for my search?

tamduong16
Contributor
‎12-15-2017 08:51 AM

I have the following search:

index="monthlycdr" "Call Duration"=* Name=\"***\" | eval "Call Duration"=replace('Call Duration',"\"","") | convert dur2sec("Call Duration") as "CDinsec" | eval "Name"=replace('Name',"\"","")

| eval "transporttype"=replace('Transport Type',"\"","") | eval "Voice_count"=case( match(transporttype, "(?i)voice") OR match(transporttype, "(?i)pstn"), CDinsec)
| eval "Video_count" =case(match(transporttype, "^(?i)h323$") OR match(transporttype, "^(?i)sip$"),CDinsec)
| stats avg("Voice_count") as Avg_Voice, avg("Video_count") as Avg_Video by Name

Which only bring up the name of my units within the time frame that I set. But I want to also view other units that haven't been use in the selected time frame. These units would exit in all time. How can I join them in my search? When I do a subsearch for all time, it only displays the name of units within the general time frame that I select. I want to bring up the name of those units that haven't been use as well.

0 Karma
Reply

somesoni2
Revered Legend
‎12-15-2017 09:22 AM

Try this

index="monthlycdr" "Call Duration"= Name=\"**\" | eval "Call Duration"=replace('Call Duration',"\"","") | convert dur2sec("Call Duration") as "CDinsec" | eval "Name"=replace('Name',"\"","") 
| eval "transporttype"=replace('Transport Type',"\"","") | eval "Voice_count"=case( match(transporttype, "(?i)voice") OR match(transporttype, "(?i)pstn"), CDinsec) 
| eval "Video_count" =case(match(transporttype, "^(?i)h323$") OR match(transporttype, "^(?i)sip$"),CDinsec) 
| stats avg("Voice_count") as Avg_Voice, avg("Video_count") as Avg_Video by Name
| append [search index=monthlycdr earliest=0 | eval "Name"=replace('Name',"\"","") | stats count by Name | table Name]
| stats values(*) as * by Name
Reply

tamduong16
Contributor
‎12-15-2017 09:46 AM

@someoni2,
Thanks for the answer. It worked but when I throw the rest of the search with it, I have error like expected AND. Here is the search:

index="monthlycdr" $result0sec$ $result$ | eval "Call Duration"=replace('Call Duration',"\"","") | convert dur2sec("Call Duration") as "CDinsec" | eval "Name"=replace('Name',"\"","")
| eval "Name" = upper(Name)
| eval "transporttype"=replace('Transport Type',"\"","") | eval "Voice_count"=case( match(transporttype, "(?i)voice") OR match(transporttype, "(?i)pstn"), CDinsec)
| eval "Video_count" =case(match(transporttype, "^(?i)h323$$") OR match(transporttype, "^(?i)sip$$"),CDinsec)
| stats avg("Voice_count") as Avg_Voice, avg("Video_count") as Avg_Video, sum("Voice_count") as Sum_Voice, sum("Video_count") as Sum_Video by Name
| eval "Avg_Voice"=tostring($$Avg_Voice$$,"duration") | eval Avg_Voice=if(isnull(Avg_Voice), "00:00:00", replace(Avg_Voice,"(\d+):(\d+):(\d+).(\d+)","\1:\2:\3"))
| eval "Avg_Video"=tostring($$Avg_Video$$,"duration") | eval Avg_Video=if(isnull(Avg_Video), "00:00:00", replace(Avg_Video,"(\d+):(\d+):(\d+).(\d+)","\1:\2:\3"))
| eval "Sum_Voice"=tostring($$Sum_Voice$$,"duration") | eval Sum_Voice=if(isnull(Sum_Voice), "00:00:00", replace(Sum_Voice,"(\d*)+(\d+):(\d+):(\d+)","\1D \2:\3:\4"))
| eval "Sum_Video"=tostring($$Sum_Video$$,"duration") | eval Sum_Video=if(isnull(Sum_Video), "00:00:00", replace(Sum_Video,"(\d)+(\d+):(\d+):(\d+)","\1D \2:\3:\4"))
| append [search index=monthlycdr earliest=0 | eval "Name"=replace('Name',"\"","") | stats count by Name | table Name]
| stats values() as * by Name

For simplicity, I left out the eval portion but I didn't know it would create problem. Sorry!

0 Karma
Reply

tamduong16
Contributor
‎12-15-2017 09:51 AM

please ignore $result0sec$ $result$. I left them out in the search

0 Karma
Reply

somesoni2
Revered Legend
‎12-15-2017 10:48 AM

Does it work find without the subsearch?

0 Karma
Reply

tamduong16
Contributor
‎12-15-2017 11:13 AM

yes, it works before the subsearch!
It also works with the subsearch if I delete all of the eval expression from the search.

0 Karma
Reply

somesoni2
Revered Legend
‎12-15-2017 11:27 AM

In the last stats command, are you missing a asterisk in values function?

0 Karma
Reply

tamduong16
Contributor
‎12-15-2017 02:09 PM

I just rerun it with the asterisk in values function but have the same result. Thanks again for helping me!

0 Karma
Reply

somesoni2
Revered Legend
‎12-15-2017 09:00 AM

What's the full search that you used, which includes your all time subsearch? You should be using earliest=0 in the subsearch to override the timerange just for that subsearch.

0 Karma
Reply

tamduong16
Contributor
‎12-15-2017 09:18 AM

this is my full search which it only gives me the same result if I run the above search.

index="monthlycdr" "Call Duration"= Name=\"**\" | eval "Call Duration"=replace('Call Duration',"\"","") | convert dur2sec("Call Duration") as "CDinsec" | eval "Name"=replace('Name',"\"","")
| eval "transporttype"=replace('Transport Type',"\"","") | eval "Voice_count"=case( match(transporttype, "(?i)voice") OR match(transporttype, "(?i)pstn"), CDinsec)
| eval "Video_count" =case(match(transporttype, "^(?i)h323$") OR match(transporttype, "^(?i)sip$"),CDinsec)
| stats avg("Voice_count") as Avg_Voice, avg("Video_count") as Avg_Video by Name
| join Name
[search index=monthlycdr earliest=0
| eval "Name"=replace('Name',"\"","")
| table Name]

thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...