Hello Splunk Experts, I am trying to get a dashboard built for our team. basically we have this log (sample below) some values and names changed for security purposes. 2021-03-11 14:44:52.961, TestName="Callout", Timestamp = "1615491891055", calling_party="2133211234", called_party="3233211234", TestDuration="1000" 2021-03-11 14:44:37.964, TestName="Callin", Timestamp = "1615491871148", calling_party="3233211234", called_party="2133211234", TestDuration="1500" 2021-03-11 14:43:22.957, TestName="Callout", Timestamp = "1615491785132", calling_party="2133211234", called_party="3233211234", TestDuration="1250" 2021-03-11 14:43:07.958, TestName="Callin", Timestamp = "1615491770646", calling_party="3233211234", called_party="2133211234", TestDuration="2000" 2021-03-11 14:42:52.961, TestName="Callout", Timestamp = "1615491764476", calling_party="2133211234", called_party="3233211234", TestDuration="1100" 2021-03-11 14:42:37.959, TestName="Callin", Timestamp = "1615491745672", calling_party="3233211234", called_party="2133211234", TestDuration="1700" so we have these test cases running all day, above is just a sample. what we want to do is consolidate the called party and calling party numbers into 1 list lets call that field as telephone_number and then add the test duration together as total for 1day per telephone number. then compute it how much a specific number is used every day and then chart that in a dashboard (via linechart or something else) showing may expand this to 7days or 30 days broken down by day stats. We tried the following but it seems like after the | stats sum, I loose the _time field so the timechart at the end does not work. index=tester_main sourcetype=test_main (calling_party=* OR called_party=*) | eval telephone_number=mvappend(calling_party, called_party) | mvexpand telephone_number | stats sum(TestDuration) as TestDuration by telephone_number | eval TestDuration='TestDuration'/1000 | eval Utilization=round(((TestDuration/86400)*100),1) | eval Utilization=if(Utilization >100, 100, Utilization) | eval Utilization=Utilization + "%" | Fields - TestDuration | timechart span=1d avg(Utilization) by telephone_number Thank you for your time and assistance
... View more