Splunk Search

How do I show search value with timechart?

lamnguyentt1
Explorer

Dear professionals,

I have a search string like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]"

And this is the result. The results have "bankAccount" value.

lamnguyentt1_0-1648019147433.png

Then I add timechart like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
|timechart span=1m count as today
|fields today

How can I add a column for bankAccount when today = 1?

splunk-3.PNG
Thank you

Labels (4)
0 Karma

inventsekar
Ultra Champion

Hi @lamnguyentt1 

1) i think the regex is not needed as you filter that on first line itself. 

2) timechart requires a "BY" clause i think. 

Please check this one:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
|timechart span=1m count as today BY host
|fields today
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lamnguyentt1,

there's something not clear for me in your search: why do you extract "relatedPersons" field if you don't use in timechart?

Rememeber that after a transaction command (as stats or timechart), you have only the fields in the command, in your case only _time and count renamed in today.

If you want more fields you have to put them in the command, e.g.:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| timechart span=1m count as today BY bankAccount

If you want more fields (e.g. relatedPersons), you have to use bin and stats, something like this:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
| bin span=1m _time
| stats values(relatedPersons) AS relatedPersons count as today BY bankAccount

Ciao.

Giuseppe

0 Karma

lamnguyentt1
Explorer

Dear Mr. @gcusello 

For clearly,

The origin search is 

index="hcg_oapi_prod" relatedPersons

And this is results

lamnguyentt1_1-1648024296300.png

 

I want to create the alert when it matches this condition

1. The results have "relatedPersons":[] and don't have (firstName OR middleName OR lastName)

2. I will count the search result each 1 minute if count >1, I will send an email and I want to attach  "bankAccount value (for other person easy to search when they receive the email)

I have use your search string but it shows that

lamnguyentt1_2-1648024553765.png

Please help me, print result like this 

splunk-3.PNG

 

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...