Splunk Search

How do I show search value with timechart?

lamnguyentt1
Explorer

Dear professionals,

I have a search string like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]"

And this is the result. The results have "bankAccount" value.

lamnguyentt1_0-1648019147433.png

Then I add timechart like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
|timechart span=1m count as today
|fields today

How can I add a column for bankAccount when today = 1?

splunk-3.PNG
Thank you

Labels (4)
0 Karma

inventsekar
Super Champion

Hi @lamnguyentt1 

1) i think the regex is not needed as you filter that on first line itself. 

2) timechart requires a "BY" clause i think. 

Please check this one:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
|timechart span=1m count as today BY host
|fields today
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

gcusello
Esteemed Legend

Hi @lamnguyentt1,

there's something not clear for me in your search: why do you extract "relatedPersons" field if you don't use in timechart?

Rememeber that after a transaction command (as stats or timechart), you have only the fields in the command, in your case only _time and count renamed in today.

If you want more fields you have to put them in the command, e.g.:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| timechart span=1m count as today BY bankAccount

If you want more fields (e.g. relatedPersons), you have to use bin and stats, something like this:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
| bin span=1m _time
| stats values(relatedPersons) AS relatedPersons count as today BY bankAccount

Ciao.

Giuseppe

0 Karma

lamnguyentt1
Explorer

Dear Mr. @gcusello 

For clearly,

The origin search is 

index="hcg_oapi_prod" relatedPersons

And this is results

lamnguyentt1_1-1648024296300.png

 

I want to create the alert when it matches this condition

1. The results have "relatedPersons":[] and don't have (firstName OR middleName OR lastName)

2. I will count the search result each 1 minute if count >1, I will send an email and I want to attach  "bankAccount value (for other person easy to search when they receive the email)

I have use your search string but it shows that

lamnguyentt1_2-1648024553765.png

Please help me, print result like this 

splunk-3.PNG

 

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...