Solved: Need simple search help

jayrodef · ‎03-29-2011

Hello all, I haven't taken as much time to understand the splunk search capabilities as I should. I'm reading up today, however I need to get this search functional is quickly as possible. Basically, I have data with a User and DeviceId which have many events. I'd like to get a search that shows User with DeviceId per hour and the number of events, so something like:

1pm

testuser deviceID123 200events

2pm testuser2 deviceID456 100 events

I'm not sure if that'll explain it or if you need more detail. Appreciate any help you can offer, thanks.

fox · ‎03-29-2011

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

View solution in original post

fox · ‎03-29-2011

index= | eval user_device=userid."_".deviceid | timechart span=1h count by user_device

jayrodef · ‎03-29-2011

Thanks so much, you guys are quick. I'm actually reading through that link now. Thanks again.

southeringtonp · ‎03-29-2011

Also take a look at the Search Reference and the included cheat sheet - http://www.splunk.com/base/Documentation/latest/SearchReference/SearchCheatsheet

fox · ‎03-29-2011

index= insert your index name here

Need simple search help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation