Solved: Re: 1. I am new at splunk and would like to know h...

GHOST27 · ‎07-07-2017

Starting with this:

index=* smtp sourcetype="""""""" email="*" date_month=june

I tried date_month=may AND june and it did not work. I need this:

index=* smtp sourcetype="""""""" email="*" date_month=may 
| table _time sourcetype email src det count src_tags 
| stats count by _time sourcetype src det email

And:

index=* smtp sourcetype="""""""" email="*" date_month=june 
| table _time sourcetype email src det count src_tags 
| stats count by _time sourcetype src det email

Do I use a I use the join command? Can you provide an example.

cmerriman · ‎07-07-2017

can you try this:

index= smtp sourcetype="""""""" email="" (date_month=may OR date_month=june )
| stats count by _time sourcetype src det email

View solution in original post

cmerriman · ‎07-07-2017

can you try this:

index= smtp sourcetype="""""""" email="" (date_month=may OR date_month=june )
| stats count by _time sourcetype src det email

1. I am new at splunk and would like to know how to search two separate months in the same search syntax? 2. I would also like to know how to put 2 searches in one search.

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

1. I am new at splunk and would like to know how to search two separate months in the same search syntax? 2. I would also like to know how to put 2 searches in one search.

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!