Solved: Need simple search help

jayrodef · ‎03-29-2011

Hello all, I haven't taken as much time to understand the splunk search capabilities as I should. I'm reading up today, however I need to get this search functional is quickly as possible. Basically, I have data with a User and DeviceId which have many events. I'd like to get a search that shows User with DeviceId per hour and the number of events, so something like:

1pm

testuser deviceID123 200events

2pm testuser2 deviceID456 100 events

I'm not sure if that'll explain it or if you need more detail. Appreciate any help you can offer, thanks.

fox · ‎03-29-2011

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

View solution in original post

fox · ‎03-29-2011

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

jayrodef · ‎03-29-2011

Thanks so much, you guys are quick. I'm actually reading through that link now. Thanks again.

southeringtonp · ‎03-29-2011

Also take a look at the Search Reference and the included cheat sheet - http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet

fox · ‎03-29-2011

index= insert your index name here

Need simple search help

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Need simple search help

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!