I have an application to analyse phone call data from multiple locations.
I want to generate a report that provides a time history of concurrent calls at each location.
Using this query I can get exactly what I want for a single location:
index=calls locat=8374 | eval start_epoch=strptime(start_time,"%Y-%m-%d %H:%M:%S") | concurrency duration=call_duration start=start_epoch | timechart max(concurrency)
However, when I use all locations (as below) I get incorrect data:
index=calls locat=* | eval start_epoch=strptime(start_time,"%Y-%m-%d %H:%M:%S") | concurrency duration=call_duration start=start_epoch | timechart max(concurrency)
I've established that the concurrency command determines concurrency for all data passed into it and even when the output is split by 'location', the concurrency for each location is determined from the data for all locations rather than the data for each location seperately.
My suggestion would be to add a 'group by xxx' clause to the concurrency command that will calculate the concurrency seperately for the data associated to each occurance of field xxx.
Alternatively, does anyone know of a way to achieve the result I am looking for within the current functionality of Splunk?
... View more