Splunk Search

Create time chart for frequency of results from a specific search

Callum_f
Engager

Hey Everyone,

I am new to Splunk and am struggling to create a simple time chart for a query I have made.

 

I want to create a time chart over the last 3 months of the frequency of a specific search I have made. To visualise how frequent the results are created.

 

My query: index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup*

 

some help would be greatly appreciated

Labels (1)
0 Karma
1 Solution

venkatasri
Motivator

Hi @Callum_f 

Yes i thought user field already available, that needs be extracted before.

 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"
| top limit=5 user 

 

 

--

An upvote would be appreciated if this reply helps and Accept the solution!

View solution in original post

0 Karma

venkatasri
Motivator

Hi @Callum_f 

Can you try this? Select Timerange 3 months that you wish. 

 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | timechart count

 

 --

An upvote would be appreciated if this reply helps and Accept the solution!

0 Karma

Callum_f
Engager

Hi @venkatasri ,

 

thank you this has helped! Would you also know how to do a unique count as well for instance, use this query 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | timechart count

and i want to find what users occur the most in these calls. the parameter is just "user".  e.g. user = 76757549

and the users that occur most in the search over the 3 months.

 

Thanks again,

 

Callum

0 Karma

venkatasri
Motivator

Hi @Callum_f 

Hope this helps for distinct count of user by instance. Just a note 3 months is too long and timechart command can not display more than 10k values by default.

 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | timechart dc(user) as unique_user_count by host

 

0 Karma

venkatasri
Motivator

@Callum_f 

To find top 5 users you can run this, adjust limit=<number>

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* | top limit=5 user 

 

0 Karma

Callum_f
Engager

Hi, @venkatasri 

 the event text contains this text "Lambda Request Payload -> {"user":"8573993" etc..." 

when i try the below i get nothing in the sampling, is this because it's not a searchable parameter?

as there are no results in statistics.

What I am looking for is to get the a result e.g.  "user":"8573993" = 12, showing the top 5 most frequently occurring users

 

 

0 Karma

venkatasri
Motivator

Hi @Callum_f 

Yes i thought user field already available, that needs be extracted before.

 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"
| top limit=5 user 

 

 

--

An upvote would be appreciated if this reply helps and Accept the solution!

View solution in original post

0 Karma

Callum_f
Engager

sorry @venkatasri  I was wrong, i need to create a graph/list  and count of how many differnet users are showed in the results, is this possible?

0 Karma

venkatasri
Motivator

@Callum_f  

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"  
| bin span=1d _time
| stats values(user) as  user_list, dc(user) as unique_user_count by _time

can you try this works? 

0 Karma

Callum_f
Engager

@venkatasri yes it did! thank you so much

0 Karma

venkatasri
Motivator

@Callum_f glad it helped!

 

0 Karma

Callum_f
Engager

Hi @venkatasri 

Sorry to keep asking question, I just wanted to ask if there was a way to search a field like the user field to see how much they are spending if there is a letter in front of it.

e.g. "cost" : "C1000" showing they spent $1000. 

So for example I want to search when the user spends between C1000 and C20000. 

which would be added on to this 

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 

 

0 Karma

venkatasri
Motivator

Hi @Callum_f 

Something like this  might work,

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"  
| rex "\"cost\"\s+:\s+\"C(?<cost>\d+)"
| stats sum(cost) as total_cost by user

---

An upvote would be appreciated if this reply helps!

0 Karma

venkatasri
Motivator

@Callum_f  This one for between 1000 to 20000 users

index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup* 
| rex "\"user\":\"(?<user>\d+)"  
| rex "\"cost\"\s+:\s+\"C(?<cost>\d+)"
| stats sum(cost) as total_cost by user 
| where  total_cost >= 1000 AND total_cost <= 20000

---

An upvote would be appreciated if this reply helps!

0 Karma

Callum_f
Engager

Hi @venkatasri 

unfortunately that didn't work 😞

I am not concerned with repeat users now, don't know if that changes anything.

is there a way to take off the C in the search so it just looks for the numbers in the cost parameter?

 

0 Karma

venkatasri
Motivator

@Callum_f could be issue with regex, need complete event having cost, user in it. I would advise to open a new thread as original solution for this thread already closed. Describe what you need there and share full event..

0 Karma

Callum_f
Engager

@venkatasri Thank you so much!! you have been a massive help!!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.