#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create time chart group by time and userId

rajarshi2576
Explorer
‎10-13-2020 04:31 AM

I have the below log text  

 

2020-10-12 12:30:22.538 INFO 1 --- [ener-4] c.t.t.o.s.service.recServi : received users : {"userId":"12333","userType":"Normal"}
2020-10-12 12:30:22.538 INFO 1 --- [ener-4] c.t.t.o.s.service.recServi : Received usertype is:Normal
2020-10-12 12:30:22.540 INFO 1 --- [ener-4] c.t.t.o.s.s.ReceiverPrepaidService : Validating the User with userID:1233 systemID:111wdsa
2020-10-12 12:30:22.540 INFO 1 --- [ener-4] c.t.t.o.s.util.Common : The Reason Code is valid for UserId: 12333 userId:12333
2020-10-12 12:30:22.577 INFO 1 --- [ener-4] c.t.t.o.s.r.OlServiceValidatorDao : Saving User into DB ..... with User-ID:12333
 
........
 
again same type of lines 
 
I need to extract the userId and timestamp from 
 
line : Validating the User with userID:1233 systemID:111wdsa
 
I am able to extract userId and group by it with count
 
index="tim" logGroup="/ecs/strr" "logEvents{}.message"="*Validating the User with userID*" | spath output=myfield path=logEvents{}.message | rex field=myfield "(?<=Validating the User with userID*:)(?<userId>[0-9]+)(?= systemID:)"  table userId | dedup userId | stats count values(userId) by userId
 
 
but can not extract the time stamp and create the time chart with userId group by timestamp from all log text
 
Any help would really help ful for us
 
 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2020 06:52 AM

You don't need to extract timestamps since Splunk does that for you.  The _time field is not available for a timechart because the stats command discarded it.  Try this query, instead.

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" 
| spath output=myfield path=logEvents{}.message 
| rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" 
| fields userId 
| timechart span=1d count by userId
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2020 06:28 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2020 06:52 AM

You don't need to extract timestamps since Splunk does that for you.  The _time field is not available for a timechart because the stats command discarded it.  Try this query, instead.

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" 
| spath output=myfield path=logEvents{}.message 
| rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" 
| fields userId 
| timechart span=1d count by userId
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rajarshi2576
Explorer
‎10-13-2020 08:10 PM

It returns null as a table column  I exclude it by usenull=f

It is giving userId wise count like for Today :

userId1 in below row count 2 userId2 in below count 3.

_time  |    userId1  | userId2 | Null

2020-10-14 | 11   | 0      | 11

2020-10-13 | 10 |   0 |      10

 

 

But I want per day total userId. let say for today total userId: 5 (not individually).

_time |    total |

2020-10-14| 11 |

2020-10-13| 12  |

 

Hope its clear now

 

Thanks

0 Karma
Reply
Solved! Jump to solution

rajarshi2576
Explorer
‎10-14-2020 02:27 AM

Solved

 

index="tim" logGroup="/ecs/sit-ol-service-validator" "logEvents{}.message"="*Validating the User with userID*" 
| spath output=myfield path=logEvents{}.message 
| rex field=myfield "Validating the User with userID:(?<userId>[0-9]+) systemID:" 
| fields dc(userId) 
| timechart span=1h dc(userId)
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...