topic Re: Need simple search help in Splunk Search

Need simple search help

jayrodef — Tue, 29 Mar 2011 20:18:34 GMT

Hello all, I haven't taken as much time to understand the splunk search capabilities as I should. I'm reading up today, however I need to get this search functional is quickly as possible. Basically, I have data with a User and DeviceId which have many events. I'd like to get a search that shows User with DeviceId per hour and the number of events, so something like:

1pm

testuser deviceID123 200events

2pm testuser2 deviceID456 100 events

I'm not sure if that'll explain it or if you need more detail. Appreciate any help you can offer, thanks.

Re: Need simple search help

fox — Tue, 29 Mar 2011 20:41:09 GMT

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

Re: Need simple search help

fox — Tue, 29 Mar 2011 20:41:37 GMT

index= insert your index name here

Re: Need simple search help

southeringtonp — Tue, 29 Mar 2011 20:42:04 GMT

Also take a look at the Search Reference and the included cheat sheet - http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet

Re: Need simple search help

jayrodef — Tue, 29 Mar 2011 20:53:20 GMT

Thanks so much, you guys are quick. I'm actually reading through that link now. Thanks again.