Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to add the timechart command to my current search query.

man03359
Communicator
‎09-26-2023 03:35 AM

Hi All,

Hope this find you well,

I have built a pretty simple search query for my dashboard, plotting line chart graph (for monitoring payments done by different debit/credit card types e.g., Giro, Mastercard etc. for every 5 minutes) using transaction command and then searching for the card type in the log and then extracting the value using regex in the field named "Card Type".

 

 

 

index=idx-stores-pos sourcetype=GSTR:Adyen:log
| transaction host startswith="Transaction started" maxpause=90s
| search "*Additional Data : key - cardType*"
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)"
| eval girocard=if((CardType=="girocard"),1,0)
| timechart span=5m sum(girocard) AS "Girocard"

 

 

Now I have to modify the query in order to filter it out based on Country and Store, query I am using is-

 

 

index=idx-stores-pos sourcetype=GSTR:Adyen:log
| transaction host startswith="Transaction started" maxpause=90s
| search "*Additional Data : key - cardType*"
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)"
| eval girocard=if((CardType=="girocard"),1,0)
| append
    [| inputlookup Stores_TimeZones.csv where Store=tkg* ]
| timechart span=5m sum(girocard) AS "Girocard" latest(Country) AS Country latest(City) AS City

 

 

I am unable to get the output for Country and City, what am I doing wrong?

Please help.

Thanks in advance 🙂

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2023 03:42 AM

Hi @man03359,

the timechart command has onlòy one output not more, eventually grouprd using the BY clause.

If you want more values, you have to use bin and stats:

index=idx-stores-pos sourcetype=GSTR:Adyen:log
| transaction host startswith="Transaction started" maxpause=90s
| search "*Additional Data : key - cardType*"
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)"
| eval girocard=if((CardType=="girocard"),1,0)
| append
    [| inputlookup Stores_TimeZones.csv where Store=tkg* ]
| bin span=5m _time
| stats 
   sum(girocard) AS "Girocard" 
   latest(Country) AS Country 
   latest(City) AS City
   BY _time

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎09-26-2023 04:24 AM

I tried the suggested query, but I am still not able to get the output for the Country and City.

Attaching the output image.

Preview file
65 KB
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...