Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to add the timechart command to my current search query.

man03359
Communicator
‎09-26-2023 03:35 AM

Hi All,

Hope this find you well,

I have built a pretty simple search query for my dashboard, plotting line chart graph (for monitoring payments done by different debit/credit card types e.g., Giro, Mastercard etc. for every 5 minutes) using transaction command and then searching for the card type in the log and then extracting the value using regex in the field named "Card Type".

 

 

 

index=idx-stores-pos sourcetype=GSTR:Adyen:log
| transaction host startswith="Transaction started" maxpause=90s
| search "*Additional Data : key - cardType*"
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)"
| eval girocard=if((CardType=="girocard"),1,0)
| timechart span=5m sum(girocard) AS "Girocard"

 

 

Now I have to modify the query in order to filter it out based on Country and Store, query I am using is-

 

 

index=idx-stores-pos sourcetype=GSTR:Adyen:log
| transaction host startswith="Transaction started" maxpause=90s
| search "*Additional Data : key - cardType*"
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)"
| eval girocard=if((CardType=="girocard"),1,0)
| append
    [| inputlookup Stores_TimeZones.csv where Store=tkg* ]
| timechart span=5m sum(girocard) AS "Girocard" latest(Country) AS Country latest(City) AS City

 

 

I am unable to get the output for Country and City, what am I doing wrong?

Please help.

Thanks in advance 🙂

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2023 03:42 AM

Hi @man03359,

the timechart command has onlòy one output not more, eventually grouprd using the BY clause.

If you want more values, you have to use bin and stats:

index=idx-stores-pos sourcetype=GSTR:Adyen:log
| transaction host startswith="Transaction started" maxpause=90s
| search "*Additional Data : key - cardType*"
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)"
| eval girocard=if((CardType=="girocard"),1,0)
| append
    [| inputlookup Stores_TimeZones.csv where Store=tkg* ]
| bin span=5m _time
| stats 
   sum(girocard) AS "Girocard" 
   latest(Country) AS Country 
   latest(City) AS City
   BY _time

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎09-26-2023 04:24 AM

I tried the suggested query, but I am still not able to get the output for the Country and City.

Attaching the output image.

Preview file
65 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...