Hey guys,
So I am trying to combine an old search with a new search of mine. I basically wanted to continually fetch the newest OOID's that are being created and combine it with my old search which monitors the most active OOID's by their activity of creating, updating or deleting.
Log for newly created OOID:
 
					
				
		
So if you would like to find the most recently created OOIDs (assuming that action refers to OOID) and then find all activity after that related to those 5 OOIDs, then like this:
index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | search [search index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | where action="created" | dedup OOID | head 5 | table OOID] | chart count by OOID action | addtotals | sort 5 -Total 
 
					
				
		
So if you would like to find the most recently created OOIDs (assuming that action refers to OOID) and then find all activity after that related to those 5 OOIDs, then like this:
index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | search [search index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | where action="created" | dedup OOID | head 5 | table OOID] | chart count by OOID action | addtotals | sort 5 -Total 
Works perfectly. Is there a way to add a column for a timestamp for when exactly each of the recent OOID's were created?
 
					
				
		
Yes, operating under the same assumptions, this should work:
index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | search [search index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | where action="created" | dedup OOID | head 5 | table OOID] | chart earliest(_time) count by OOID action  | rename "temp: created" AS birthday | fields - temp* | addtotals | sort 5 -Total
The timestamp is displaying as a long decimal number. Is there a way to convert to to display as a date and time?
 
					
				
		
Yes, you need the convert command (and I would use it with the fieldformat command):
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fieldformat
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert
 
					
				
		
Definitely, we need clarification. What does your current output look like and what is the desired output? Are you looking for a new column called "Five_newest_OOIDS" or what?
My current output shows the five most active OOIDS on the left hand stand, and the legend entails created, updated, or deleted/moved.
My desired output is to have the same output by displaying the newest OOID's with the most active ones ( whos creating, updating, or deleting documents) BUT ONLY for the newest OOID being created. Hope this helps
 
					
				
		
First of all, your base search is totally wrong and is not doing what you think it is. You should be doing this instead (take a close look at the difference between the outputs of your search and mine):
index=doccloud_main sourcetype=doccloud_catalina "Document workspace" earliest=-7d | rex "(?<action>created|updated|deleted\/moved) (?:.*) OOID:(?<OOID>[^,]+)" | chart count by OOID action | addcoltotals | fillnull value="Total" | eval rowTotal=0 | foreach * [eval rowTotal = rowTotal + if(isnum(<<FIELD>>),<<FIELD>>,0)] | sort 6 - rowTotal
The reason that I did sort 6 instead of sort 5 is because this includes the "Total" row (which will always be the largest) and the 5 "real" rows.
Now that we have your base search doing what you said you think it is, I need you to start ALL THE WAY OVER and explain EXACTLY what you need the modification to do because I am still TOTALLY confused.   I need you to say something like, "I need to add an additional column that shows the last action that happened for each OOID", or maybe "I need to add another 5 rows that shows the 5 most recent OOIDs, which would obviously mean that only 1 of the other columns would be non-zero because it would only show the last action."  These are 2 guess that I have but they really don't match what you said...???
