I am new to splunk and need to query for a particular field. The events look something like this:
[2022-08-27 10:49:54.909.196][0x0000219c][Info][GENERAL] Player{
PlayerName: popeye
Experience: 32
}
[2022-08-27 10:49:54.909.196][0x0000219c][Info][GENERAL] Player{
PlayerName: jack
Experience: 12
}
[2022-08-27 10:49:54.909.196][0x0000219c][Info][GENERAL] Player{
PlayerName: popeye
Experience: 32
}
[2022-08-27 10:49:54.909.196][0x0000219c][Info][GENERAL] Player{
playerName: popeye
experience: 32
}
I want to create an alert if any unique PlayerName count is greater than 2. For example, in this case there would be an alert for "popeye".
I was able to extract the field and the count using |stats count by playerName,
You say you tried |stats count by playerName but not what results you got from that. I suspect you got nothing because there is no 'playerName' field. Field names are case-sensitive. Try
| stats count by PlayerName
| where count > 2
Of course, that presumes the PlayerName field is extracted already.