Solved: Need simple search help

jayrodef · ‎03-29-2011

Hello all, I haven't taken as much time to understand the splunk search capabilities as I should. I'm reading up today, however I need to get this search functional is quickly as possible. Basically, I have data with a User and DeviceId which have many events. I'd like to get a search that shows User with DeviceId per hour and the number of events, so something like:

1pm

testuser deviceID123 200events

2pm testuser2 deviceID456 100 events

I'm not sure if that'll explain it or if you need more detail. Appreciate any help you can offer, thanks.

fox · ‎03-29-2011

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

View solution in original post

fox · ‎03-29-2011

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

jayrodef · ‎03-29-2011

Thanks so much, you guys are quick. I'm actually reading through that link now. Thanks again.

southeringtonp · ‎03-29-2011

Also take a look at the Search Reference and the included cheat sheet - http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet

fox · ‎03-29-2011

index= insert your index name here

Need simple search help

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)