Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I show search value with timechart?

lamnguyentt1
Explorer
‎03-23-2022 12:19 AM

Dear professionals,

I have a search string like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]"

And this is the result. The results have "bankAccount" value.

lamnguyentt1_0-1648019147433.png

Then I add timechart like this

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
|timechart span=1m count as today
|fields today

How can I add a column for bankAccount when today = 1?

splunk-3.PNG
Thank you

Labels (4)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎03-23-2022 12:40 AM

Hi @lamnguyentt1 

1) i think the regex is not needed as you filter that on first line itself. 

2) timechart requires a "BY" clause i think. 

Please check this one:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
|timechart span=1m count as today BY host
|fields today
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2022 12:40 AM

Hi @lamnguyentt1,

there's something not clear for me in your search: why do you extract "relatedPersons" field if you don't use in timechart?

Rememeber that after a transaction command (as stats or timechart), you have only the fields in the command, in your case only _time and count renamed in today.

If you want more fields you have to put them in the command, e.g.:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| timechart span=1m count as today BY bankAccount

If you want more fields (e.g. relatedPersons), you have to use bin and stats, something like this:

index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName)
| regex "\"relatedPersons\":\[\]"
| bin span=1m _time
| stats values(relatedPersons) AS relatedPersons count as today BY bankAccount

Ciao.

Giuseppe

0 Karma
Reply

lamnguyentt1
Explorer
‎03-23-2022 01:36 AM

Dear Mr. @gcusello 

For clearly,

The origin search is 

index="hcg_oapi_prod" relatedPersons

And this is results

lamnguyentt1_1-1648024296300.png

 

I want to create the alert when it matches this condition

1. The results have "relatedPersons":[] and don't have (firstName OR middleName OR lastName)

2. I will count the search result each 1 minute if count >1, I will send an email and I want to attach  "bankAccount value (for other person easy to search when they receive the email)

I have use your search string but it shows that

lamnguyentt1_2-1648024553765.png

Please help me, print result like this 

splunk-3.PNG

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...