include date in request - stats count

numeroinconnu12 · ‎11-21-2019

Hello,
I have a problem.
This is my request, it works well.

    index=wineventlog EventID=4624 host=wipr625a OR host=wipr625b OR host=wipr626a OR host=wipr626b user!="DWM*"
   | stats count as "nombre de connexions" by user, host, name

I would like to include the date in my results and that's how I modified my request, only with that request my results are wrong, did I forget something?

 index=wineventlog EventID=4624 host=wipr625a OR host=wipr625b OR host=wipr626a OR host=wipr626b user!="DWM*"
| eval date=strftime(_time, "%d/%m/%Y %H:%M")
| stats count as "nombre de connexions" by user, date, host, name

thanks !

HiroshiSatoh · ‎11-21-2019

The search statement is correct. Please tell us specifically about the problem.

HiroshiSatoh · ‎11-22-2019

Is the problem that the number of results is different?
Did you check the displayed error?

https://answers.splunk.com/answers/506621/unknown-error-for-peer-xxx-search-results-might-be.html

How about the following search statement?

| bin span=1m _time
| stats count as "nombre de connexions" by user, _time, host, name

numeroinconnu12 · ‎11-22-2019

Hello @HiroshiSatoh ,

see my results without date :

and my results when i include date :

Do you see the difference?

include date in request - stats count

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

include date in request - stats count

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases