topic Re: How to create time chart group by time and userId in #Random

How to create time chart group by time and userId

rajarshi2576 — Wed, 14 Oct 2020 03:17:31 GMT

I have the below log text

2020-10-12 12:30:22.538 INFO 1 --- [ener-4] c.t.t.o.s.service.recServi : received users : {"userId":"12333","userType":"Normal"}

2020-10-12 12:30:22.538 INFO 1 --- [ener-4] c.t.t.o.s.service.recServi : Received usertype is:Normal

2020-10-12 12:30:22.540 INFO 1 --- [ener-4] c.t.t.o.s.s.ReceiverPrepaidService : Validating the User with userID:1233 systemID:111wdsa

2020-10-12 12:30:22.540 INFO 1 --- [ener-4] c.t.t.o.s.util.Common : The Reason Code is valid for UserId: 12333 userId:12333

2020-10-12 12:30:22.577 INFO 1 --- [ener-4] c.t.t.o.s.r.OlServiceValidatorDao : Saving User into DB ..... with User-ID:12333

........

again same type of lines

I need to extract the userId and timestamp from

line : Validating the User with userID:1233 systemID:111wdsa

I am able to extract userId and group by it with count

index="tim" logGroup="/ecs/strr" "logEvents{}.message"="*Validating the User with userID*" | spath output=myfield path=logEvents{}.message | rex field=myfield "(?<=Validating the User with userID*:)(?<userId>[0-9]+)(?= systemID:)" table userId | dedup userId | stats count values(userId) by userId

but can not extract the time stamp and create the time chart with userId group by timestamp from all log text

Any help would really help ful for us

Re: How to create time chart group by time and userId

richgalloway — Tue, 13 Oct 2020 13:52:49 GMT

You don't need to extract timestamps since Splunk does that for you. The _time field is not available for a timechart because the stats command discarded it. Try this query, instead.

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" | spath output=myfield path=logEvents{}.message | rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" | fields userId | timechart span=1d count by userId

Re: How to create time chart group by time and userId

rajarshi2576 — Wed, 14 Oct 2020 04:28:03 GMT

It returns null as a table column I exclude it by usenull=f

It is giving userId wise count like for Today :

userId1 in below row count 2 userId2 in below count 3.

_time | userId1 | userId2 | Null

2020-10-14 | 11 | 0 | 11

2020-10-13 | 10 | 0 | 10

But I want per day total userId. let say for today total userId: 5 (not individually).

_time | total |

2020-10-14| 11 |

2020-10-13| 12 |

Hope its clear now

Thanks

Re: How to create time chart group by time and userId

rajarshi2576 — Wed, 14 Oct 2020 09:27:43 GMT

Solved

Re: How to create time chart group by time and userId

richgalloway — Wed, 14 Oct 2020 13:28:39 GMT

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.