Re: Timechart Count by multiple regexed fields

neill_freer · ‎07-26-2017

I'm trying to create a timechart that tracks the total count of 3 different areas of error per day. I've regexed out each type which works fine, but I cannot get a timechart to work at all.

This is my current splunk search:

host="hostname" sourcetype=sourcetypename "[ERROR]" | rex field=_raw "\.php\:\d+\n(?P<StackTraceError>.*)\:\n" | rex field=_raw "\\\LdapServiceProvider\:\:(?P<IncorrectUsernameOrPassword>.+)\s" | rex field=_raw "\s\-\sTraceyId\:\"(?P<AppError>.+)\-\d.+\"\s\-\-"

Any ideas?

DalJeanis · ‎07-26-2017

Try this...

 host="hostname" sourcetype=sourcetypename "[ERROR]" 
| rex field=_raw "\.php\:\d+\n(?P<StackTraceError>.*)\:\n" 
| rex field=_raw "\\\LdapServiceProvider\:\:(?P<IncorrectUsernameOrPassword>.+)\s" 
| rex field=_raw "\s\-\sTraceyId\:\"(?P<AppError>.+)\-\d.+\"\s\-\-"
| bin _time span=1m
| stats count(StackTraceError) as StackTraceError count(IncorrectUsernameOrPassword) as IncorrectUsernameOrPassword count(AppError) as AppError by _time
| untable _time errortype errorcount
| timechart sum(errorcount) as errorcount by errortype

niketn · ‎07-26-2017

What is the issue you are facing with timechart? What is the timechart query you are running?

Are you able to display values in table using

 | head 10 
 | table _time StackTraceError IncorrectUserNameOrPassword AppError

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Timechart Count by multiple regexed fields

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Timechart Count by multiple regexed fields

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits