Splunk Search

How do I show search value with timechart?

lamnguyentt1
Explorer

Dear professionals,

I have a search string like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]"

And this is the result. The results have "bankAccount" value.

lamnguyentt1_0-1648019147433.png

Then I add timechart like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
|timechart span=1m count as today
|fields today

How can I add a column for bankAccount when today = 1?

splunk-3.PNG
Thank you

Labels (4)
0 Karma

inventsekar
Super Champion

Hi @lamnguyentt1 

1) i think the regex is not needed as you filter that on first line itself. 

2) timechart requires a "BY" clause i think. 

Please check this one:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
|timechart span=1m count as today BY host
|fields today
0 Karma

gcusello
Esteemed Legend

Hi @lamnguyentt1,

there's something not clear for me in your search: why do you extract "relatedPersons" field if you don't use in timechart?

Rememeber that after a transaction command (as stats or timechart), you have only the fields in the command, in your case only _time and count renamed in today.

If you want more fields you have to put them in the command, e.g.:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| timechart span=1m count as today BY bankAccount

If you want more fields (e.g. relatedPersons), you have to use bin and stats, something like this:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
| bin span=1m _time
| stats values(relatedPersons) AS relatedPersons count as today BY bankAccount

Ciao.

Giuseppe

0 Karma

lamnguyentt1
Explorer

Dear Mr. @gcusello 

For clearly,

The origin search is 

index="hcg_oapi_prod" relatedPersons

And this is results

lamnguyentt1_1-1648024296300.png

 

I want to create the alert when it matches this condition

1. The results have "relatedPersons":[] and don't have (firstName OR middleName OR lastName)

2. I will count the search result each 1 minute if count >1, I will send an email and I want to attach  "bankAccount value (for other person easy to search when they receive the email)

I have use your search string but it shows that

lamnguyentt1_2-1648024553765.png

Please help me, print result like this 

splunk-3.PNG

 

0 Karma
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...