Solved: 1. I am new at splunk and would like to know how t...

GHOST27 · ‎07-07-2017

Starting with this:

index=* smtp sourcetype="""""""" email="*" date_month=june

I tried date_month=may AND june and it did not work. I need this:

index=* smtp sourcetype="""""""" email="*" date_month=may 
| table _time sourcetype email src det count src_tags 
| stats count by _time sourcetype src det email

And:

index=* smtp sourcetype="""""""" email="*" date_month=june 
| table _time sourcetype email src det count src_tags 
| stats count by _time sourcetype src det email

Do I use a I use the join command? Can you provide an example.

cmerriman · ‎07-07-2017

can you try this:

index= smtp sourcetype="""""""" email="" (date_month=may OR date_month=june )
| stats count by _time sourcetype src det email

View solution in original post

cmerriman · ‎07-07-2017

can you try this:

index= smtp sourcetype="""""""" email="" (date_month=may OR date_month=june )
| stats count by _time sourcetype src det email

1. I am new at splunk and would like to know how to search two separate months in the same search syntax? 2. I would also like to know how to put 2 searches in one search.

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform