https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52256#M12683 <P>Mapping userid to ip address is required so you need to determine how to get that data. You could perhaps monitor DHCP server logs. You could use lookup table - see Manager -&gt; Lookups and have the mapping defined in a file, or you could have the mapping stored in a Database and use the DBConnect app.</P> <P>Once you have that mapping you can build a search on the activity data based on userid from an input of ip address. I am not sure what you mean by plus or minus 2 hours. Do you input a time as well? Why not just specify a time range in the search?</P> Tue, 03 Sep 2013 06:28:35 GMT alanfinlay 2013-09-03T06:28:35Z https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52253#M12680 <P>So, I have just been introduced to this tool through my work. I had a question about how to link some search criteria. What I would like my search to do is search first by an IP address that I input, then link that IP address to a username, and finally give me a log of their activity within plus and minus two hours. <BR /> Thanks in advance! </P> Fri, 30 Aug 2013 20:01:48 GMT https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52253#M12680 anamolous86 2013-08-30T20:01:48Z https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52254#M12681 <P>There are good resources for learning, if you haven't looked at them, you should!</P> <UL> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Tutorial/WelcometotheSplunkTutorial">Splunk Tutorial</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Search/Whatsinthismanual">Search Manual</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/SearchCheatsheet">Search command cheat sheet and search language quick reference card</A></LI> <LI><A href="http://www.splunk.com/goto/book">Exploring Splunk: Search Processing Language (SPL) Primer and Cookbook</A></LI> </UL> Fri, 30 Aug 2013 20:08:12 GMT https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52254#M12681 ChrisG 2013-08-30T20:08:12Z https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52255#M12682 <P>Ah, great! The manual is going to be most helpful for me. Thank you!</P> Fri, 30 Aug 2013 20:11:30 GMT https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52255#M12682 anamolous86 2013-08-30T20:11:30Z https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52256#M12683 <P>Mapping userid to ip address is required so you need to determine how to get that data. You could perhaps monitor DHCP server logs. You could use lookup table - see Manager -&gt; Lookups and have the mapping defined in a file, or you could have the mapping stored in a Database and use the DBConnect app.</P> <P>Once you have that mapping you can build a search on the activity data based on userid from an input of ip address. I am not sure what you mean by plus or minus 2 hours. Do you input a time as well? Why not just specify a time range in the search?</P> Tue, 03 Sep 2013 06:28:35 GMT https://community.splunk.com/t5/Splunk-Search/Searching-Splunk/m-p/52256#M12683 alanfinlay 2013-09-03T06:28:35Z