Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I show search value with timechart?

lamnguyentt1
Explorer
‎03-23-2022 12:19 AM

Dear professionals,

I have a search string like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]"

And this is the result. The results have "bankAccount" value.

lamnguyentt1_0-1648019147433.png

Then I add timechart like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
|timechart span=1m count as today
|fields today

How can I add a column for bankAccount when today = 1?

splunk-3.PNG
Thank you

Labels (4)
0 Karma
Reply

inventsekar
Super Champion
‎03-23-2022 12:40 AM

Hi @lamnguyentt1 

1) i think the regex is not needed as you filter that on first line itself. 

2) timechart requires a "BY" clause i think. 

Please check this one:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
|timechart span=1m count as today BY host
|fields today
0 Karma
Reply

gcusello
Esteemed Legend
‎03-23-2022 12:40 AM

Hi @lamnguyentt1,

there's something not clear for me in your search: why do you extract "relatedPersons" field if you don't use in timechart?

Rememeber that after a transaction command (as stats or timechart), you have only the fields in the command, in your case only _time and count renamed in today.

If you want more fields you have to put them in the command, e.g.:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| timechart span=1m count as today BY bankAccount

If you want more fields (e.g. relatedPersons), you have to use bin and stats, something like this:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
| bin span=1m _time
| stats values(relatedPersons) AS relatedPersons count as today BY bankAccount

Ciao.

Giuseppe

0 Karma
Reply

lamnguyentt1
Explorer
‎03-23-2022 01:36 AM

Dear Mr. @gcusello 

For clearly,

The origin search is 

index="hcg_oapi_prod" relatedPersons

And this is results

lamnguyentt1_1-1648024296300.png

 

I want to create the alert when it matches this condition

1. The results have "relatedPersons":[] and don't have (firstName OR middleName OR lastName)

2. I will count the search result each 1 minute if count >1, I will send an email and I want to attach  "bankAccount value (for other person easy to search when they receive the email)

I have use your search string but it shows that

lamnguyentt1_2-1648024553765.png

Please help me, print result like this 

splunk-3.PNG

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...