Solved: How to create time chart group by time and userId

rajarshi2576 · ‎10-13-2020

I have the below log text

2020-10-12 12:30:22.538 INFO 1 --- [ener-4] c.t.t.o.s.service.recServi : received users : {"userId":"12333","userType":"Normal"}

2020-10-12 12:30:22.538 INFO 1 --- [ener-4] c.t.t.o.s.service.recServi : Received usertype is:Normal

2020-10-12 12:30:22.540 INFO 1 --- [ener-4] c.t.t.o.s.s.ReceiverPrepaidService : Validating the User with userID:1233 systemID:111wdsa

2020-10-12 12:30:22.540 INFO 1 --- [ener-4] c.t.t.o.s.util.Common : The Reason Code is valid for UserId: 12333 userId:12333

2020-10-12 12:30:22.577 INFO 1 --- [ener-4] c.t.t.o.s.r.OlServiceValidatorDao : Saving User into DB ..... with User-ID:12333

........

again same type of lines

I need to extract the userId and timestamp from

line : Validating the User with userID:1233 systemID:111wdsa

I am able to extract userId and group by it with count

index="tim" logGroup="/ecs/strr" "logEvents{}.message"="*Validating the User with userID*" | spath output=myfield path=logEvents{}.message | rex field=myfield "(?<=Validating the User with userID*:)(?<userId>[0-9]+)(?= systemID:)" table userId | dedup userId | stats count values(userId) by userId

but can not extract the time stamp and create the time chart with userId group by timestamp from all log text

Any help would really help ful for us

richgalloway · ‎10-13-2020

You don't need to extract timestamps since Splunk does that for you. The _time field is not available for a timechart because the stats command discarded it. Try this query, instead.

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" 
| spath output=myfield path=logEvents{}.message 
| rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" 
| fields userId 
| timechart span=1d count by userId

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-14-2020

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-13-2020

You don't need to extract timestamps since Splunk does that for you. The _time field is not available for a timechart because the stats command discarded it. Try this query, instead.

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" 
| spath output=myfield path=logEvents{}.message 
| rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" 
| fields userId 
| timechart span=1d count by userId

---
If this reply helps you, Karma would be appreciated.

rajarshi2576 · ‎10-13-2020

It returns null as a table column I exclude it by usenull=f

It is giving userId wise count like for Today :

userId1 in below row count 2 userId2 in below count 3.

_time | userId1 | userId2 | Null

2020-10-14 | 11 | 0 | 11

2020-10-13 | 10 | 0 | 10

But I want per day total userId. let say for today total userId: 5 (not individually).

_time | total |

2020-10-14| 11 |

2020-10-13| 12 |

Hope its clear now

Thanks

rajarshi2576 · ‎10-14-2020

Solved

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" 
| spath output=myfield path=logEvents{}.message 
| rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" 
| fields dc(userId) 
| timechart span=1h dc(userId)

How to create time chart group by time and userId

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...