Splunk Search
Highlighted

How do I edit my search to add a second field (value) to my chart?

Communicator

I have this string and want to add second value " accountNumber" to the chart. How I can do that?

Current string:

| rex "(?i) IP (?P[^ ]+)" 
| rex "(?i) username (?P[^ ]+)"
| chart dc(UsrName) over clientIp  
|sort - dc(UsrName)

I want add "account number" on the chart. I tried this, but didn't work.

| rex "(?i) IP (?P[^ ]+)"
| rex "(?i) username (?P<UsrName>[^ ]+)" 
| chart dc(UsrName) over clientIp, accountNumber  
| sort - dc(UsrName)

So, what I am trying to have a chart with accountNumber and client IP username.

thanks

Tags (2)
0 Karma
Highlighted

Re: How do I edit my search to add a second field (value) to my chart?

SplunkTrust
SplunkTrust

Try something like this

| rex "(?i) IP (?P[^ ]+)"
 | rex "(?i) username (?P<UsrName>[^ ]+)"  | eval clientIp=clientIp+"-"+accountNumber
 | chart dc(UsrName) over clientIp
 | sort - dc(UsrName)

OR

| rex "(?i) IP (?P[^ ]+)"
 | rex "(?i) username (?P<UsrName>[^ ]+)" 
 | stats dc(UsrName) over clientIp, accountNumber  
 | sort - dc(UsrName)
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.