Solved: search group by

cheeseng · ‎07-12-2012

I am doing a internal audit for splunk log, the query is following

index="_audit" action = edit_user NOT "search" |table timestamp user object operation

result:

timestamp                  user      object     operation
07-12-2012 15:07:53.419    admin     cheeseng   edit 
07-12-2012 15:07:53.419    admin     cheeseng   list 
07-12-2012 14:56:18.475    admin     admin      edit 
07-12-2012 14:56:18.475    admin     admin      list 
07-12-2012 14:56:18.475    admin     cheeseng   edit

I am wondering how to group the result base on timestamp meaning same time of event should in a group
thanks

Ayn · ‎07-12-2012

You could use stats and group by _time and user:

index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time

If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:

index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time

View solution in original post

Ayn · ‎07-12-2012

You could use stats and group by _time and user:

index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time

If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:

index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time

search group by

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout