- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to combine 2 rows to 1 row
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My search string: sourcetype="AAA"|table _time event_iduser
Results:
9/10/2015 23:24 303 user1
9/10/2015 21:50 302 user1
9/10/2015 21:50 303 user2
9/10/2015 21:50 302 user2
9/10/2015 11:21 303 user3
9/10/2015 11:18 302 user3
Hope to get results as: sourcetype="AAA" .....|table user Time_302 Time_303
Usern Time_302 Time_303
user1 9/10/2015 21:50 9/10/2015 23:24
user2 9/10/2015 21:50 9/10/2015 21:50
user3 9/10/2015 11:18 9/10/2015 11:21
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
sourcetype="AAA"|table _time event_id user | eval Time=strftime(_time,"%m/%d/%Y %H:%M") | chart values(TIme) over user by event_id limit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
sourcetype="AAA"|table _time event_id user | eval Time=strftime(_time,"%m/%d/%Y %H:%M") | chart values(TIme) over user by event_id limit=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works, great! Thanks a lot!
And, now I am hoping to make it better by adding a column, is it possible?
Originally:
9/10/2015 23:24 303 user1 info1
9/10/2015 21:50 302 user1 info1
9/10/2015 21:50 303 user2 info2
9/10/2015 21:50 302 user2 info2
9/10/2015 11:21 303 user3 info3
9/10/2015 11:18 302 user3 info3
I hope to see:
User info Time_302 Time_303
user1 info1 9/10/2015 21:50 9/10/2015 23:24
user2 info2 9/10/2015 21:50 9/10/2015 21:50
user3 info3 9/10/2015 11:18 9/10/2015 11:21
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but the results are like this:
User | Time_302 | Time_303
user1 | 9/10/2015 21:50 | 9/10/2015 21:50
| | 9/10/2015 23:24
Time_302 value were shown on both columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This could be due to a user has more than 1 event with an event_id. If there are multiple events for an event_id and you want the latest Time of it, they replace "| chart values" with "| chart latest"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
