I have a field called "call_duration" expressed as 00:00:17, and another field called "Party1Name" which is simply a name string.
How can I sum these duration times up per caller?
I have tried this:
sourcetype=smdr|stats sum(Call_duration) by Party1Name
but Call_duration ends up being empty.
Try this instead:
sourcetype=smdr | eval duration=strptime(call_duration,"%H:%M:%S") | stats sum(duration) by Party1Name
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!
EDIT: The reason you need to use strptime functions is because Splunk looks at the call_duration as a simple string and not as seconds that can be added or performed any arithmetic functions on. Hope this clarifies it.
Try this instead:
sourcetype=smdr | eval duration=strptime(call_duration,"%H:%M:%S") | stats sum(duration) by Party1Name
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!
EDIT: The reason you need to use strptime functions is because Splunk looks at the call_duration as a simple string and not as seconds that can be added or performed any arithmetic functions on. Hope this clarifies it.
Glad to hear. Please mark as answered. Thanks.
Actually that worked. Thanks. Call_duration had wrong case.
Thanks for the quick response, however, its still blank.