Hi, I am trying to calculate the number of Active Calls at any 'given time' from Call Detail Records (CDR). CDRs store the 'callConnect' and 'callDisconnect' time in a single CDR event. Logically speaking at any 'given time' the number of active calls = number of CDR events that have 'callDisconnect' > 'given time' (while evaluating all the CDR call records older than 'given time'). How can we implement this as Splunk search Querry? Any ideas. Thanks. HB.
You can use the concurrency
command, and let's assume that callConnect
is set as the Splunk event timestamp, i.e., _time
:
sourcetype=mycdrs | eval dur = callDisconnect-_time | concurrency duration=dur
Depending on the format, you may have to apply the strptime()
function to convert callDisconnect
to epoch time (_time
will already be in epoch time), but the above is pretty much it.
You can use the concurrency
command, and let's assume that callConnect
is set as the Splunk event timestamp, i.e., _time
:
sourcetype=mycdrs | eval dur = callDisconnect-_time | concurrency duration=dur
Depending on the format, you may have to apply the strptime()
function to convert callDisconnect
to epoch time (_time
will already be in epoch time), but the above is pretty much it.
Thanks. Looks like it did the trick!!