Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help needed Timechart Query

Macky_29
Explorer
‎01-26-2023 11:45 AM

Dear experts , 

I am searching on my bot index, which contain conve-id and rest of the fields are stored as payload. Using spath i am able to extract required fields from payload into a table , now for trend analysis i want to use time chart command to see number of users per month , however its not working , below is the query for your reference , need help with the query :

index=idx_chatbot logpoint=response-in AND service="journeyService" OR service="watsonPostMessage"
|spath input=payload output=displayname path=context.displayName 
| spath input=payload output=Country path=context.countryCode 
| spath input=payload output=Intent path=intents{}.intent 
|spath input=payload output=ticketResponse 
       path=response.createTicketResponse.Message 
| table conversation-id timestamp service duration logpoint userFeedback displayname text Country Intent category ticketResponse payload
| dedup conversation-id
| timechart span=1mon count(displayName)
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-26-2023 09:23 PM

You can't do a timechart without the _time field and your table command effectively removes the _time field

Also, not sure why your timechart is count(displayName) as that is counting occurrences of that field in all the deduped conversation-id events - so unless it is blank in some events, it will be a 1:1 relationship with conversation-id. 

It would seem that you are looking to count the number of individual conversations, so you would get this by replacing your last 3 lines with

 

| timechart span=1mon dc(conversation-id)

 

but if you are looking for distinct displayName then you can still replace the last 3 lines with

| timechart span=1mon dc(displayName)

 unless you have have many _different_ displayName values for a single conversation-id

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Macky_29
Explorer
‎01-26-2023 09:09 PM

Macky_29_0-1674795926214.png

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-26-2023 12:12 PM

"Its not working" gives us nothing to work with.  Help us help you by explaining what the expected results are and what you are getting from the current query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Macky_29
Explorer
‎01-26-2023 09:07 PM

@richgalloway 

It doesn't give any result , below is the screenshot

Macky_29_0-1674795974883.png

 

I am expecting it gives me monthly count (trend)of distinct display name i.e. users in my case.

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-26-2023 09:23 PM

You can't do a timechart without the _time field and your table command effectively removes the _time field

Also, not sure why your timechart is count(displayName) as that is counting occurrences of that field in all the deduped conversation-id events - so unless it is blank in some events, it will be a 1:1 relationship with conversation-id. 

It would seem that you are looking to count the number of individual conversations, so you would get this by replacing your last 3 lines with

 

| timechart span=1mon dc(conversation-id)

 

but if you are looking for distinct displayName then you can still replace the last 3 lines with

| timechart span=1mon dc(displayName)

 unless you have have many _different_ displayName values for a single conversation-id

0 Karma
Reply
Solved! Jump to solution

Macky_29
Explorer
‎01-26-2023 09:50 PM

Thanks Bowesmana it works 😊

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...